01-29-2007 02:27 AM
HI,all
How to prevent bogus dhcp server in a same vlan with clients needing dhcp service from legal dhcp server connecting to Catlyst 4506
Without disconnecting Ehternet Line physically.
Please refer to attachment.
01-29-2007 02:52 AM
This will be quite hard to realize when you have a direct layer2 connection between the devices on the segment. Normally, this should not be a problem as the machine is within your administrative domain so you should also be able to contact it's administrator about this.
One solution (the most preferrable one) will be to put the bogus-machine in a different vlan.
Regards,
Leo
01-29-2007 04:50 PM
If your clients are Windows 2000/XP, and your DHCP server is Windows 2000/2003 Server, you can try to use DHCP ClassID feature. It provides some kind of "DHCP security" in your environment. I personally never tried it in real life, but I remember it from the MCSE materials.
Other of that there is no way to stop bogus DHCP server from issuing IP addresses. As matter of fact, your PCs will get most of their addresses from bogus DHCP server, since it's "closer" to them and will respond quicker.
If you want to be aware if someone brings DHCP server into your network, you can set up a sniffer in your network, and monitor for "out-of-range" IP addresses. Also you can turn on debugging on your router for "arp requests" and see if someone requests any ARP addresses out or your normal range.
Good luck,
Mike
----
Cisco IP Phone Headset Adapters
01-29-2007 06:18 PM
hi,
its posible to defend against this attack with dhcp snooping. but it is only available on a catalyst switch. i see from your figure that the bogusdhcpserver is connected to a hub. but here is the description of dhcp snooping and its commands..
btw you can still configure snooping on the 3550 port(connected to the hub) as "untrusted" to isolate the dhcp attack.
DHCP Snooping is a Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages while untrusted ports can source requests only. Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. This feature can be coupled with DHCP Option 82, where switch information, such as the port ID of the DHCP request, can be inserted into the DHCP request packet.
Untrusted ports are those not explicitly configured as trusted. A DHCP Binding Table is built for untrusted ports. Each entry contains client MAC address, IP address, lease time, binding type, VLAN number and Port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP Snooping perspective, untrusted access ports should not send any DHCP server responses, such as DHCPOffer, DHCPAck, or DHCPNak.
Commands:
Switch(config)#ip dhcp snooping
-enables DHCP snooping globally
Switch(config-if)#ip dhcp snooping trust
-configures an interface as trusted
rgds,
ben
01-30-2007 12:58 AM
HI,Ben
I will configure dhcp snooping on Catlyst 3550 if necessary,because that is the environment of my customer's,Thanks a lot.
Regards!
MinQuant Kuo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide