Blocking rogue DHCP servers

The reader who was concerned about making a loop while connecting a switch to itself was also facing “customer-installed” DHCP servers in his LAN. He wrote:

Some users have installed their own Linksys routers and plug our cable in router's LAN ports, so there is DHCP servers fight in our LAN. How can I sort this out (I cannot physically find the location of the Linsys routers)?

The ideal solution is DHCP snooping (assuming your switch supports it), well documented on www.cisco.com. The basic configuration takes only a few minutes:

  • Enable the feature globally with the ip dhcp snooping global configuration command.
  • Enable the feature for individual VLANs with the ip dhcp snooping vlan number global configuration command.
  • Configure the trusted interfaces with the ip dhcp snooping trust interface configuration command.
  • Rate-limit DHCP on untrusted interfaces with the ip dhcp snooping limit rate interface configuration command.

This article is part of You've asked for it series.

Recent posts in the same categories

7 comments:

  1. Anonymous 20 March 2009 11:44
    Or use http://www.net.princeton.edu/software/dhcp_probe/ if your switches are unaware of DHCP snooping feature :)
  2. Tassos 20 March 2009 12:18
    You have to be careful on the usage of "ip dhcp snooping limit rate", because if the limit is exceeded, then the port is err-disabled.
    Still waiting for a fix to drop only dhcp traffic :(
  3. Ivan Pepelnjak 20 March 2009 18:27
    As I said, I would use the "ip dhcp snoop rate-limit" only on untrusted interfaces. There is no reason a correctly operating workstation should generate more than a few DHCP messages per second. If it does, it might be a good idea to disable the port and inform the administrators.
  4. Anonymous 23 March 2009 22:51
    for me the old & simple dhcploc.exe has proven reliable over the years
  5. Tassos 24 March 2009 01:48
    Ivan, there are some other cases too, where you can have untrusted interfaces and dhcp snooping.

    i.e. a trunk interface where a vm or another switch (not managed by you, or not supporting dhcp snooping) is connected.
    You want to snoop dhcp packets from a specific vlan on this interface, but you don't want to shut down the port if they exceed a limit, because there are other vlans passing through this interface too. You just want to drop those dhcp packets.
  6. Unknown 06 December 2012 17:54
    In some books written that, 'If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is SHUT DOWN' . But when I practised it untrusted port drop the DHCP response pakcets, but did not shut down the port. In which situation the port got to shutdown state?
    Replies
    1. Ivan Pepelnjak 06 December 2012 18:06
      Maybe you should ask the author of the book that made that claim.
Add comment
Home
Sidebar