Switching

Hi all,

I'm struggling with an issue and figured that I would ask here as many of you are advanced users.

My network setup is a pretty basic Spine and Leafs, nothing fancy .. 2 QFX5100 and a few leafs attached to them.

Now the leafs are connected to a lot of VMs and one of them is a legit DHCP server.

Some users are spinning up VM running DHCP service too and  I don't have any control over those VM.

How does one would efficiently block all DHCP traffic except the legit one (FW is not an option, it must be block before it hits the FW). 

Thanks a lot for any idea you may have

Hi there.

In my opinion, the easiest solution is to configure a DHCP relay.

This way, only the legitimate DHCP packets will be forwarded to and from the server/clients.

I hope this helps you.

Regards.

Original Message:
Sent: 05-14-2024 19:54
From: Anonymous User
Subject: Block rogue DHCP on Spine and Leaf

This message was posted by a user wishing to remain anonymous

Hi all,

I'm struggling with an issue and figured that I would ask here as many of you are advanced users.

My network setup is a pretty basic Spine and Leafs, nothing fancy .. 2 QFX5100 and a few leafs attached to them.

Now the leafs are connected to a lot of VMs and one of them is a legit DHCP server.

Some users are spinning up VM running DHCP service too and  I don't have any control over those VM.

How does one would efficiently block all DHCP traffic except the legit one (FW is not an option, it must be block before it hits the FW). 

Thanks a lot for any idea you may have

Hi all,

I'm struggling with an issue and figured that I would ask here as many of you are advanced users.

My network setup is a pretty basic Spine and Leafs, nothing fancy .. 2 QFX5100 and a few leafs attached to them.

Now the leafs are connected to a lot of VMs and one of them is a legit DHCP server.

Some users are spinning up VM running DHCP service too and  I don't have any control over those VM.

How does one would efficiently block all DHCP traffic except the legit one (FW is not an option, it must be block before it hits the FW). 

Thanks a lot for any idea you may have

Hi,

DHCP security can be configured to defined trusted and untrusted ports connections for DHCP servers

Please see this for more details - https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/port-security-trusted-dhcp-server.html

By default, all trunk ports are trusted and access ports are untrusted. But, this can behaviour can be over-ridden. Only specific ports to which legitimate DHCP servers are connected can be configured as trusted.

Regards

Hi all,

I'm struggling with an issue and figured that I would ask here as many of you are advanced users.

My network setup is a pretty basic Spine and Leafs, nothing fancy .. 2 QFX5100 and a few leafs attached to them.

Now the leafs are connected to a lot of VMs and one of them is a legit DHCP server.

Some users are spinning up VM running DHCP service too and  I don't have any control over those VM.

How does one would efficiently block all DHCP traffic except the legit one (FW is not an option, it must be block before it hits the FW). 

Thanks a lot for any idea you may have

right , I was looking at this solution at one point but the issue is that the legit server and potential rogues are using the same trunk.

I don't have the power to isolate the legit VM on a dedicated server / link

Hi,

DHCP security can be configured to defined trusted and untrusted ports connections for DHCP servers

Please see this for more details - https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/port-security-trusted-dhcp-server.html

By default, all trunk ports are trusted and access ports are untrusted. But, this can behaviour can be over-ridden. Only specific ports to which legitimate DHCP servers are connected can be configured as trusted.

Regards

Hi all,

I'm struggling with an issue and figured that I would ask here as many of you are advanced users.

My network setup is a pretty basic Spine and Leafs, nothing fancy .. 2 QFX5100 and a few leafs attached to them.

Now the leafs are connected to a lot of VMs and one of them is a legit DHCP server.

Some users are spinning up VM running DHCP service too and  I don't have any control over those VM.

How does one would efficiently block all DHCP traffic except the legit one (FW is not an option, it must be block before it hits the FW). 

Thanks a lot for any idea you may have

Ok, what if we apply an inbound filter on the trunk port to a) allow DHCP traffic (UDP port 67) only from the legit source(s); b) discard DHCP traffic from any other source; c) allow anything else. An example is shown below, assuming ge-0/0/0 is the trunk port and 10.10.100.10 is the legit DHCP server.

set firewall family ethernet-switching filter allow-dhcp term legit from destination-port 67set firewall family ethernet-switching filter allow-dhcp term legit from ip-source-address 10.10.100.10/32set firewall family ethernet-switching filter allow-dhcp term legit from ip-protocol udpset firewall family ethernet-switching filter allow-dhcp term legit then acceptset firewall family ethernet-switching filter allow-dhcp term legit then count legitset firewall family ethernet-switching filter allow-dhcp term rogue from ip-protocol udpset firewall family ethernet-switching filter allow-dhcp term rogue from destination-port 67set firewall family ethernet-switching filter allow-dhcp term rogue then discardset firewall family ethernet-switching filter allow-dhcp term rogue then count rogueset firewall family ethernet-switching filter allow-dhcp term last then acceptset firewall family ethernet-switching filter allow-dhcp term last then count lastset interfaces ge-0/0/0 unit 0 family ethernet-switching filter input allow-dhcp

right , I was looking at this solution at one point but the issue is that the legit server and potential rogues are using the same trunk.

I don't have the power to isolate the legit VM on a dedicated server / link

Hi,

DHCP security can be configured to defined trusted and untrusted ports connections for DHCP servers

Please see this for more details - https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/port-security-trusted-dhcp-server.html

By default, all trunk ports are trusted and access ports are untrusted. But, this can behaviour can be over-ridden. Only specific ports to which legitimate DHCP servers are connected can be configured as trusted.

Regards

Hi all,

I'm struggling with an issue and figured that I would ask here as many of you are advanced users.

My network setup is a pretty basic Spine and Leafs, nothing fancy .. 2 QFX5100 and a few leafs attached to them.

Now the leafs are connected to a lot of VMs and one of them is a legit DHCP server.

Some users are spinning up VM running DHCP service too and  I don't have any control over those VM.

How does one would efficiently block all DHCP traffic except the legit one (FW is not an option, it must be block before it hits the FW). 

Thanks a lot for any idea you may have