Re: Stopping cients acting as rogue DHCP servers on VLAN's

Sydney · ‎06-15-2006

We have a 5300 switched environment. If on a VLAN, we are providing DHCP via a server is there a way to stop any client that connects on that VLAN from setting up as rogue DHCP server, we can’t lock the down the ports by Mac addresses or IDM as it open network.

Mohieddin Kharnoub · ‎06-15-2006

Hi Sydney
Use the Extended Access Control List ACL, to allow DHCP only form your DHCP server and prevent other Rogue ones, and implement it in this particular Vlan.

Good Luck!

Science for Everyone

Matt Hobbs · ‎06-15-2006

You can't currently do this. The feature that would allow you to do this would be 'dhcp snooping'. I would recommend you contact your reseller or ProCurve sales rep to express your interest regarding this type of feature.

Don't forget to assign points to any replies that you receive.

Matt Hobbs · ‎06-15-2006

That's a good idea with the ACL method... some good reading about that at: http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=2&rl=1

Glen Willms · ‎09-11-2006

Does the 5400zl switch have the ability to black rogue DHCP servers?

Does HP have any options here?

Bruce Campbell_3 · ‎11-02-2006

I have tested the following on a 3400cl
to block rogue dhcp servers, and it worked:

ip access-list extended "roguedhcp"
deny udp 0.0.0.0 255.255.255.255 eq 67 0.0.0.0 255.255.255.255 eq 68
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Then apply to all port(s) where rogues
may be (apply to ports connected to
edge devices, or ports going to hubs or
switches which don't support access
lists themselves), example...

int 20 access-group roguedhcp in

The above will block a dhcp reply coming
from anything on port 20. This
should work on the 5300xl too. Remember
to not apply the the ports containing your
real DHCP servers.

Unfortunately, the above method cannot be
applied on 5400zl or 3500yl, as their
access lists apply to traffic crossing
vlans, as opposed to physical ports. DHCP
traffic stays within the vlan (layer 2), and
the ACLs on the 5400zl/3500yl won't work there.

However, 5400zl boasts of Layer 3 services:

* UDP helper function: UDP broadcasts can be directed across router interfaces to specific IP unicast or subnet broadcast addresses and prevent server spoofing for UDP services such as DHCP

Suggesting it can block rogues somehow.
Unfortunately, I can find nothing
in the manuals on how this blocks rogues,
it is just listed as a feature on the product
web page.

Bruce Campbell
Director, Network Services
Information Systems and Technology
MC 1018
(519)888-4567 x38323
University of Waterloo, Waterloo, ON

OLARU Dan · ‎11-02-2006

You might scan your subnets to search for DHCP servers (say a full network scan every 15 minutes or more; or half an hour before the users start their computers), and block the switch ports of the DHCP servers not under your administration.

Usually DHCP clients keep their leases for some time until their lease expires, so if a rogue DHCP server appears on your network it is likely that only a very small portion of your hosts will get rogue DHCP leases. In the mean time you might isolate the rogues.

Matt Hobbs · ‎11-02-2006

DHCP snooping is now available on some of the ProCurve switches, although the documentation on how to use it isn't currently published - it's quite straight forward to use. In the meantime you can contact your HP customer care centre for more details on using this feature.

To check if your model switch supports this enhancement, check the current release notes.

stieven struyf · ‎11-02-2006

i'm also interested in configuring this. any information on this.(our clients are on 2848 switches, our core chassis is a 5312zl, no routing on the switches)

Bruce Campbell_3 · ‎11-03-2006

Spiffy. Release notes refer to the feature
as "DHCP Protection" and it is on
the latest firmware for 3400cl, 2800,
2600, 3500yl, 5400zl (at least).

I installed on 5400zl, cli output
as follows:

dhcp-snooping help
Usage: [no] dhcp-snooping

Description: Enable/Disable the global administrative status of
DHCP snooping. No snooping will be performed on
any VLAN if the global administrative status is disabled.
The default state is disabled.

dhcp-snooping
authorized-server Configure valid DHCP Servers.
database Configure lease database transfer options.
option Configure DHCP snooping operational behavior.
trust Configure trusted interfaces.
verify Enable/Disable DHCP packet validation.
vlan Enable/Disable snooping on a VLAN.

I haven't tried it yet.

Bruce Campbell
Director, Network Services
Information Systems and Technology
MC 1018
(519)888-4567 x38323
University of Waterloo, Waterloo, ON

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Stopping cients acting as rogue DHCP servers on VLAN's

Stopping cients acting as rogue DHCP servers on VLAN's