Prevent DHCP Protocol

[kcbell]

I have a layer 3 VLAN that people plug in a home router like LinkSys. It is passing out IP addresses: 192.168.1.X.

What can I do to stop DHCP protocol on that VLAN?

Thanks!

 

[lerdalt]

depending on the switch model, you could enable dhcp snooping and not trust that port.

 

[burtsbees]

Do you have any 192.168.1.x addresses? If not, block the whole block. If there are no class C RFC1918's,...

access-list 107 deny ip 192.168.0.0 0.0.255.255 any
access-list 107 permit ip any any

or, just tie them into an existing acl, route map, etc. There is MAC address port security, but it can be tedious in mid-to-large networks...

Or, dhcp snooping. Is this in a position where they'd need helper addresses? You could send out an email threatening castration by spoon for whomever does this, and script something that will email you when someone plugs in a rogue device (like any other device), whether it be via SNMP, syslog, AAA accounting, etc.

Burt

Burt

 

[kcbell]

Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-VM), Version 12.2(33)SXH1, RELEASE SOFTWARE (fc3)

It is a Cisco 6509!

There is DHCP snooping. I thought

IP DHCP BOOP ignore

Would do the job!

On that VLAN, they don't need helper addresses. All devices should have static IP. However, we found some 192.168.X.X address. I am trying to find the DHCP server. I know it could be 192.168.1.1 - but where it is. We are in manufacturing and we have over 15 37XX switches. I though I could configure this VLAN to ignore DHCP protocol and no route it.

KC

 

[lerdalt]

The DHCP should be limited to just that vlan. I had a similar problem where a laptop was taken home and someone enabled Internet Connection Sharing on it. As soon as it was plugged into the network, it started handing out DHCP addresses to other devices on that vlan. Took some effort to find it, I had to setup a packet analyzer to monitor all dhcp traffic that was not to/from my real dhcp servers. Once I did that, I could find the mac address of the rogue device and hunt it down that way.

Wasn't exactly easy, and I used the Omnipeek product from Wildpackets for the packet analyzer. Could setup a trigger to launch the trace then page me so I knew it was live on the network at that time. The device kept moving on me which was the hard part.

I do know there is a bug with one of the IOS versions for the 3750 and using DHCP snooping. Don't know the details, but if you are going to roll it out to the other 15, you will want to look into it some more.

I've been in the process of getting DHCP snooping pushed out to all of my switches. Something I found is that if you are doing anything PXE based, the PXE server needs to be a trusted port.

 

[unclerico]

!enable dhcp snooping globally
Switch(config)# ip dhcp snooping
!enable it on a particular VLAN
Switch(config)# ip dhcp snooping vlan <vlan_id>
!configure the trusted port(s) for your DHCP server(s)
Switch(config-if)# ip dhcp snooping trust

With dhcp snooping enabled, the port sending the DHCP replies will be shutdown in the err-diabled state. You could look through your switches and find the ports in err-disabled state or you could enable snmp and trap the errdisable messages. This is assuming that you don't have errdisable recovery in place.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[kcbell]

unclerico: Thanks for the code. I have to try it. KC