Blocking rogue DHCP servers

The reader who was concerned about making a loop while connecting a switch to itself was also facing “customer-installed” DHCP servers in his LAN. He wrote:

Some users have installed their own Linksys routers and plug our cable in router's LAN ports, so there is DHCP servers fight in our LAN. How can I sort this out (I cannot physically find the location of the Linsys routers)?

The ideal solution is DHCP snooping (assuming your switch supports it), well documented on www.cisco.com. The basic configuration takes only a few minutes:

  • Enable the feature globally with the ip dhcp snooping global configuration command.
  • Enable the feature for individual VLANs with the ip dhcp snooping vlan number global configuration command.
  • Configure the trusted interfaces with the ip dhcp snooping trust interface configuration command.
  • Rate-limit DHCP on untrusted interfaces with the ip dhcp snooping limit rate interface configuration command.

This article is part of You've asked for it series.

7 comments:

  1. Or use http://www.net.princeton.edu/software/dhcp_probe/ if your switches are unaware of DHCP snooping feature :)

    ReplyDelete
  2. You have to be careful on the usage of "ip dhcp snooping limit rate", because if the limit is exceeded, then the port is err-disabled.
    Still waiting for a fix to drop only dhcp traffic :(

    ReplyDelete
  3. As I said, I would use the "ip dhcp snoop rate-limit" only on untrusted interfaces. There is no reason a correctly operating workstation should generate more than a few DHCP messages per second. If it does, it might be a good idea to disable the port and inform the administrators.

    ReplyDelete
  4. for me the old & simple dhcploc.exe has proven reliable over the years

    ReplyDelete
  5. Ivan, there are some other cases too, where you can have untrusted interfaces and dhcp snooping.

    i.e. a trunk interface where a vm or another switch (not managed by you, or not supporting dhcp snooping) is connected.
    You want to snoop dhcp packets from a specific vlan on this interface, but you don't want to shut down the port if they exceed a limit, because there are other vlans passing through this interface too. You just want to drop those dhcp packets.

    ReplyDelete
  6. In some books written that, 'If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is SHUT DOWN' . But when I practised it untrusted port drop the DHCP response pakcets, but did not shut down the port. In which situation the port got to shutdown state?

    ReplyDelete
    Replies
    1. Maybe you should ask the author of the book that made that claim.

      Delete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.