HPE Community
Switches, Hubs, and Modems
1822549 Members
2954 Online
109642 Solutions
New Discussion

Stopping cients acting as rogue DHCP servers on VLAN's

 
Sydney
New Member

‎06-15-2006 05:33 PM

‎06-15-2006 05:33 PM

Stopping cients acting as rogue DHCP servers on VLAN's

We have a 5300 switched environment. If on a VLAN, we are providing DHCP via a server is there a way to stop any client that connects on that VLAN from setting up as rogue DHCP server, we can’t lock the down the ports by Mac addresses or IDM as it open network.
0 Kudos
9 REPLIES 9
Mohieddin Kharnoub
Honored Contributor

‎06-15-2006 07:03 PM

‎06-15-2006 07:03 PM

Re: Stopping cients acting as rogue DHCP servers on VLAN's

Hi Sydney
Use the Extended Access Control List ACL, to allow DHCP only form your DHCP server and prevent other Rogue ones, and implement it in this particular Vlan.

Good Luck!
Science for Everyone
0 Kudos
Matt Hobbs
Honored Contributor

‎06-15-2006 07:21 PM

‎06-15-2006 07:21 PM

Re: Stopping cients acting as rogue DHCP servers on VLAN's

You can't currently do this. The feature that would allow you to do this would be 'dhcp snooping'. I would recommend you contact your reseller or ProCurve sales rep to express your interest regarding this type of feature.

Don't forget to assign points to any replies that you receive.
0 Kudos
Matt Hobbs
Honored Contributor

‎06-15-2006 07:28 PM

‎06-15-2006 07:28 PM

Re: Stopping cients acting as rogue DHCP servers on VLAN's

That's a good idea with the ACL method... some good reading about that at: http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=2&rl=1
0 Kudos
Glen Willms
Frequent Advisor

‎09-11-2006 11:48 AM

‎09-11-2006 11:48 AM

Re: Stopping cients acting as rogue DHCP servers on VLAN's

Does the 5400zl switch have the ability to black rogue DHCP servers?

Does HP have any options here?
0 Kudos
Bruce Campbell_3
Valued Contributor

‎11-02-2006 06:34 AM

‎11-02-2006 06:34 AM

Re: Stopping cients acting as rogue DHCP servers on VLAN's


I have tested the following on a 3400cl
to block rogue dhcp servers, and it worked:

ip access-list extended "roguedhcp"
deny udp 0.0.0.0 255.255.255.255 eq 67 0.0.0.0 255.255.255.255 eq 68
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Then apply to all port(s) where rogues
may be (apply to ports connected to
edge devices, or ports going to hubs or
switches which don't support access
lists themselves), example...

int 20 access-group roguedhcp in

The above will block a dhcp reply coming
from anything on port 20. This
should work on the 5300xl too. Remember
to not apply the the ports containing your
real DHCP servers.

Unfortunately, the above method cannot be
applied on 5400zl or 3500yl, as their
access lists apply to traffic crossing
vlans, as opposed to physical ports. DHCP
traffic stays within the vlan (layer 2), and
the ACLs on the 5400zl/3500yl won't work there.

However, 5400zl boasts of Layer 3 services:

* UDP helper function: UDP broadcasts can be directed across router interfaces to specific IP unicast or subnet broadcast addresses and prevent server spoofing for UDP services such as DHCP


Suggesting it can block rogues somehow.
Unfortunately, I can find nothing
in the manuals on how this blocks rogues,
it is just listed as a feature on the product
web page.




Bruce Campbell
Director, Network Services
Information Systems and Technology
MC 1018
(519)888-4567 x38323
University of Waterloo, Waterloo, ON
0 Kudos
OLARU Dan
Trusted Contributor

‎11-02-2006 05:07 PM

‎11-02-2006 05:07 PM

Re: Stopping cients acting as rogue DHCP servers on VLAN's

You might scan your subnets to search for DHCP servers (say a full network scan every 15 minutes or more; or half an hour before the users start their computers), and block the switch ports of the DHCP servers not under your administration.

Usually DHCP clients keep their leases for some time until their lease expires, so if a rogue DHCP server appears on your network it is likely that only a very small portion of your hosts will get rogue DHCP leases. In the mean time you might isolate the rogues.
0 Kudos
Matt Hobbs
Honored Contributor

‎11-02-2006 05:19 PM

‎11-02-2006 05:19 PM

Re: Stopping cients acting as rogue DHCP servers on VLAN's

DHCP snooping is now available on some of the ProCurve switches, although the documentation on how to use it isn't currently published - it's quite straight forward to use. In the meantime you can contact your HP customer care centre for more details on using this feature.

To check if your model switch supports this enhancement, check the current release notes.
0 Kudos
stieven struyf
Frequent Advisor

‎11-02-2006 06:16 PM

‎11-02-2006 06:16 PM

Re: Stopping cients acting as rogue DHCP servers on VLAN's

i'm also interested in configuring this. any information on this.(our clients are on 2848 switches, our core chassis is a 5312zl, no routing on the switches)
0 Kudos
Bruce Campbell_3
Valued Contributor

‎11-03-2006 03:02 AM

‎11-03-2006 03:02 AM

Re: Stopping cients acting as rogue DHCP servers on VLAN's


Spiffy. Release notes refer to the feature
as "DHCP Protection" and it is on
the latest firmware for 3400cl, 2800,
2600, 3500yl, 5400zl (at least).


I installed on 5400zl, cli output
as follows:

dhcp-snooping help
Usage: [no] dhcp-snooping

Description: Enable/Disable the global administrative status of
DHCP snooping. No snooping will be performed on
any VLAN if the global administrative status is disabled.
The default state is disabled.


dhcp-snooping
authorized-server Configure valid DHCP Servers.
database Configure lease database transfer options.
option Configure DHCP snooping operational behavior.
trust Configure trusted interfaces.
verify Enable/Disable DHCP packet validation.
vlan Enable/Disable snooping on a VLAN.



I haven't tried it yet.
Bruce Campbell
Director, Network Services
Information Systems and Technology
MC 1018
(519)888-4567 x38323
University of Waterloo, Waterloo, ON
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.