topic Re: Stopping cients acting as rogue DHCP servers on VLAN's in Switches, Hubs, and Modems

Stopping cients acting as rogue DHCP servers on VLAN's

Sydney — Fri, 16 Jun 2006 00:33:12 GMT

We have a 5300 switched environment. If on a VLAN, we are providing DHCP via a server is there a way to stop any client that connects on that VLAN from setting up as rogue DHCP server, we can’t lock the down the ports by Mac addresses or IDM as it open network.

Re: Stopping cients acting as rogue DHCP servers on VLAN's

Mohieddin Kharnoub — Fri, 16 Jun 2006 02:03:15 GMT

Hi Sydney
Use the Extended Access Control List ACL, to allow DHCP only form your DHCP server and prevent other Rogue ones, and implement it in this particular Vlan.

Good Luck!

Re: Stopping cients acting as rogue DHCP servers on VLAN's

Matt Hobbs — Fri, 16 Jun 2006 02:21:42 GMT

You can't currently do this. The feature that would allow you to do this would be 'dhcp snooping'. I would recommend you contact your reseller or ProCurve sales rep to express your interest regarding this type of feature.

Don't forget to assign points to any replies that you receive.

Re: Stopping cients acting as rogue DHCP servers on VLAN's

Matt Hobbs — Fri, 16 Jun 2006 02:28:25 GMT

That's a good idea with the ACL method... some good reading about that at: http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=2&rl=1

Re: Stopping cients acting as rogue DHCP servers on VLAN's

Glen Willms — Mon, 11 Sep 2006 18:48:48 GMT

Does the 5400zl switch have the ability to black rogue DHCP servers?

Does HP have any options here?

Re: Stopping cients acting as rogue DHCP servers on VLAN's

Bruce Campbell_3 — Thu, 02 Nov 2006 14:34:21 GMT

I have tested the following on a 3400cl
to block rogue dhcp servers, and it worked:

ip access-list extended "roguedhcp"
deny udp 0.0.0.0 255.255.255.255 eq 67 0.0.0.0 255.255.255.255 eq 68
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Then apply to all port(s) where rogues
may be (apply to ports connected to
edge devices, or ports going to hubs or
switches which don't support access
lists themselves), example...

int 20 access-group roguedhcp in

The above will block a dhcp reply coming
from anything on port 20. This
should work on the 5300xl too. Remember
to not apply the the ports containing your
real DHCP servers.

Unfortunately, the above method cannot be
applied on 5400zl or 3500yl, as their
access lists apply to traffic crossing
vlans, as opposed to physical ports. DHCP
traffic stays within the vlan (layer 2), and
the ACLs on the 5400zl/3500yl won't work there.

However, 5400zl boasts of Layer 3 services:

* UDP helper function: UDP broadcasts can be directed across router interfaces to specific IP unicast or subnet broadcast addresses and prevent server spoofing for UDP services such as DHCP

Suggesting it can block rogues somehow.
Unfortunately, I can find nothing
in the manuals on how this blocks rogues,
it is just listed as a feature on the product
web page.

Re: Stopping cients acting as rogue DHCP servers on VLAN's

OLARU Dan — Fri, 03 Nov 2006 01:07:55 GMT

You might scan your subnets to search for DHCP servers (say a full network scan every 15 minutes or more; or half an hour before the users start their computers), and block the switch ports of the DHCP servers not under your administration.

Usually DHCP clients keep their leases for some time until their lease expires, so if a rogue DHCP server appears on your network it is likely that only a very small portion of your hosts will get rogue DHCP leases. In the mean time you might isolate the rogues.

Re: Stopping cients acting as rogue DHCP servers on VLAN's

Matt Hobbs — Fri, 03 Nov 2006 01:19:27 GMT

DHCP snooping is now available on some of the ProCurve switches, although the documentation on how to use it isn't currently published - it's quite straight forward to use. In the meantime you can contact your HP customer care centre for more details on using this feature.

To check if your model switch supports this enhancement, check the current release notes.

Re: Stopping cients acting as rogue DHCP servers on VLAN's

stieven struyf — Fri, 03 Nov 2006 02:16:19 GMT

i'm also interested in configuring this. any information on this.(our clients are on 2848 switches, our core chassis is a 5312zl, no routing on the switches)

Re: Stopping cients acting as rogue DHCP servers on VLAN's

Bruce Campbell_3 — Fri, 03 Nov 2006 11:02:14 GMT

Spiffy. Release notes refer to the feature
as "DHCP Protection" and it is on
the latest firmware for 3400cl, 2800,
2600, 3500yl, 5400zl (at least).

I installed on 5400zl, cli output
as follows:

dhcp-snooping help
Usage: [no] dhcp-snooping

Description: Enable/Disable the global administrative status of
DHCP snooping. No snooping will be performed on
any VLAN if the global administrative status is disabled.
The default state is disabled.

dhcp-snooping
authorized-server Configure valid DHCP Servers.
database Configure lease database transfer options.
option Configure DHCP snooping operational behavior.
trust Configure trusted interfaces.
verify Enable/Disable DHCP packet validation.
vlan Enable/Disable snooping on a VLAN.

I haven't tried it yet.