Switching

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  Block rogue DHCP on Spine and Leaf

    This message was posted by a user wishing to remain anonymous
    Posted 10 days ago
    This message was posted by a user wishing to remain anonymous

    Hi all,

    I'm struggling with an issue and figured that I would ask here as many of you are advanced users.

    My network setup is a pretty basic Spine and Leafs, nothing fancy .. 2 QFX5100 and a few leafs attached to them.

    Now the leafs are connected to a lot of VMs and one of them is a legit DHCP server.

    Some users are spinning up VM running DHCP service too and  I don't have any control over those VM.

    How does one would efficiently block all DHCP traffic except the legit one (FW is not an option, it must be block before it hits the FW). 

    Thanks a lot for any idea you may have



  • 2.  RE: Block rogue DHCP on Spine and Leaf

    This message was posted by a user wishing to remain anonymous
    Posted 10 days ago
    This message was posted by a user wishing to remain anonymous

    Hi there.

    In my opinion, the easiest solution is to configure a DHCP relay.

    This way, only the legitimate DHCP packets will be forwarded to and from the server/clients.

    I hope this helps you.

    Regards.




  • 3.  RE: Block rogue DHCP on Spine and Leaf

    Posted 9 days ago

    Interesting. I will need to read more about that because I'm not too familiar. Thanks !



    ------------------------------
    Gerry Fiaher
    ------------------------------



  • 4.  RE: Block rogue DHCP on Spine and Leaf

    Posted 10 days ago

    Hi,

    DHCP security can be configured to defined trusted and untrusted ports connections for DHCP servers

    Please see this for more details - https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/port-security-trusted-dhcp-server.html

    By default, all trunk ports are trusted and access ports are untrusted. But, this can behaviour can be over-ridden. Only specific ports to which legitimate DHCP servers are connected can be configured as trusted.

    Regards



    ------------------------------
    Sheetanshu Shekhar
    ------------------------------



  • 5.  RE: Block rogue DHCP on Spine and Leaf

    Posted 9 days ago

    right , I was looking at this solution at one point but the issue is that the legit server and potential rogues are using the same trunk.

    I don't have the power to isolate the legit VM on a dedicated server / link



    ------------------------------
    Gerry Fiaher
    ------------------------------



  • 6.  RE: Block rogue DHCP on Spine and Leaf

    Posted 9 days ago

    Ok, what if we apply an inbound filter on the trunk port to a) allow DHCP traffic (UDP port 67) only from the legit source(s); b) discard DHCP traffic from any other source; c) allow anything else. An example is shown below, assuming ge-0/0/0 is the trunk port and 10.10.100.10 is the legit DHCP server.

    set firewall family ethernet-switching filter allow-dhcp term legit from destination-port 67
    set firewall family ethernet-switching filter allow-dhcp term legit from ip-source-address 10.10.100.10/32
    set firewall family ethernet-switching filter allow-dhcp term legit from ip-protocol udp
    set firewall family ethernet-switching filter allow-dhcp term legit then accept
    set firewall family ethernet-switching filter allow-dhcp term legit then count legit
    set firewall family ethernet-switching filter allow-dhcp term rogue from ip-protocol udp
    set firewall family ethernet-switching filter allow-dhcp term rogue from destination-port 67
    set firewall family ethernet-switching filter allow-dhcp term rogue then discard
    set firewall family ethernet-switching filter allow-dhcp term rogue then count rogue
    set firewall family ethernet-switching filter allow-dhcp term last then accept
    set firewall family ethernet-switching filter allow-dhcp term last then count last
    
    set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input allow-dhcp


    ------------------------------
    Sheetanshu Shekhar
    ------------------------------



  • 7.  RE: Block rogue DHCP on Spine and Leaf

    Posted 8 days ago

    I think that's it ! Thanks a lot !



    ------------------------------
    Gerry FiaherGerry Fiaher
    ------------------------------