Original Message:
Sent: 05-15-2024 10:32
From: Sheetanshu
Subject: Block rogue DHCP on Spine and Leaf
Ok, what if we apply an inbound filter on the trunk port to a) allow DHCP traffic (UDP port 67) only from the legit source(s); b) discard DHCP traffic from any other source; c) allow anything else. An example is shown below, assuming ge-0/0/0 is the trunk port and 10.10.100.10 is the legit DHCP server.
set firewall family ethernet-switching filter allow-dhcp term legit from destination-port 67set firewall family ethernet-switching filter allow-dhcp term legit from ip-source-address 10.10.100.10/32set firewall family ethernet-switching filter allow-dhcp term legit from ip-protocol udpset firewall family ethernet-switching filter allow-dhcp term legit then acceptset firewall family ethernet-switching filter allow-dhcp term legit then count legitset firewall family ethernet-switching filter allow-dhcp term rogue from ip-protocol udpset firewall family ethernet-switching filter allow-dhcp term rogue from destination-port 67set firewall family ethernet-switching filter allow-dhcp term rogue then discardset firewall family ethernet-switching filter allow-dhcp term rogue then count rogueset firewall family ethernet-switching filter allow-dhcp term last then acceptset firewall family ethernet-switching filter allow-dhcp term last then count lastset interfaces ge-0/0/0 unit 0 family ethernet-switching filter input allow-dhcp
------------------------------
Sheetanshu Shekhar
Original Message:
Sent: 05-15-2024 08:37
From: Gerry Fiaher
Subject: Block rogue DHCP on Spine and Leaf
right , I was looking at this solution at one point but the issue is that the legit server and potential rogues are using the same trunk.
I don't have the power to isolate the legit VM on a dedicated server / link
------------------------------
Gerry Fiaher
Original Message:
Sent: 05-14-2024 23:02
From: Sheetanshu
Subject: Block rogue DHCP on Spine and Leaf
Hi,
DHCP security can be configured to defined trusted and untrusted ports connections for DHCP servers
Please see this for more details - https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/port-security-trusted-dhcp-server.html
By default, all trunk ports are trusted and access ports are untrusted. But, this can behaviour can be over-ridden. Only specific ports to which legitimate DHCP servers are connected can be configured as trusted.
Regards
------------------------------
Sheetanshu Shekhar
Original Message:
Sent: 05-14-2024 19:54
From: Anonymous
Subject: Block rogue DHCP on Spine and Leaf
This message was posted by a user wishing to remain anonymous
Hi all,
I'm struggling with an issue and figured that I would ask here as many of you are advanced users.
My network setup is a pretty basic Spine and Leafs, nothing fancy .. 2 QFX5100 and a few leafs attached to them.
Now the leafs are connected to a lot of VMs and one of them is a legit DHCP server.
Some users are spinning up VM running DHCP service too and I don't have any control over those VM.
How does one would efficiently block all DHCP traffic except the legit one (FW is not an option, it must be block before it hits the FW).
Thanks a lot for any idea you may have