cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1376
Views
0
Helpful
11
Replies

Rogue DHCP problem

andnagy122
Level 1
Level 1

Hi everyone!

I have a problem regarding one of our customers.

As you can see, there's two APs, where AP1 functions as a DHCP server assigning IPs to laptops using wireless. Non-wireless client PCs, however, lease an IP from the rogue DHCP server (customer-managed). The customer wants to keep this behaviour.

The problem is that the DHCP server is more faster than AP1 regarding IP assigning via DHCP. Therefore, all clients (incl. wireless ones) get an IP from the DHCP server, which is undesirable for the customer, as mentioned above.

As a possible solution, I think about DHCP snooping on the switch. What's your opinion about that?

Do you have any other better solutions for this problem?

Deactivating the DHCP function on the server is not possible as non-wireless client don't get an IP then.

Thanks in advance!

2 Accepted Solutions

Accepted Solutions

Hello

You could try applying a mac ACL relating to the rouge DHCP server to the vlan(s) you don't want it to work on

mac address-table static xxxx.xxxx.xxxx vlan 10 drop

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Hello,

in addition to Paul's suggestion, you could also specify an access list that denies udp ports 67 and 68 inbound on the Vlan interface where the wireless clients are connected to...

ip access-list extended DROP_DHCP
deny udp host x.x.x.x any eq bootpc
deny udp host x.x.x.x any eq bootps
permit ip any any

interface Vlan1
ip access-group DROP_DHCP in

View solution in original post

11 Replies 11

Hello

You could try applying a mac ACL relating to the rouge DHCP server to the vlan(s) you don't want it to work on

mac address-table static xxxx.xxxx.xxxx vlan 10 drop

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

if I understand it correctly, this command's effect would be to drop frames with the specified MAC (the server's MAC) in the specified VLAN right?

Thanks.

Hello,

in addition to Paul's suggestion, you could also specify an access list that denies udp ports 67 and 68 inbound on the Vlan interface where the wireless clients are connected to...

ip access-list extended DROP_DHCP
deny udp host x.x.x.x any eq bootpc
deny udp host x.x.x.x any eq bootps
permit ip any any

interface Vlan1
ip access-group DROP_DHCP in

Hi,

yeah I did some more research and found the same alternative solution with MAC ACLs :)

Thank you! :)

Hello

Sis this assist you if so please rate and close - It can provide feedback for others.

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello again,

meanwhile I discussed this case with my colleagues and we're planning to implement something like the following changes:

AP1
!
ip access-list extended DROP_DHCP
deny udp host [server-IP] eq bootps any eq bootpc
permit udp host [AP1-IP] eq bootps any eq bootpc
!
int x
ip access-group DROP_DHCP in
ip access-group DROP_DHCP out
!
AP2
!
ip access-list extended DROP_DHCP
deny udp host [server-IP] eq bootps any eq bootpc
permit udp host [AP1-IP] eq bootps any eq bootpc
!
int Gi0
ip access-group DROP_DHCP in
!

The only problem with this config is that on AP1, with the following line we cannot distinguish between wireless (which should get an IP from AP1) and non-wireless devices (which should get an IP from the server):

permit udp host [AP1-IP] eq bootps any eq bootpc

We couldn't find any solutions for that so far.

Do you have any ideas?

Thank you in advance!

Hello,

I am thinking about configuring option 82 on the AP. The idea is that the DHCP server only gives out IP addresses to requests that contain option 82 parameters, which you can configure on the AP.

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/113302-dhcp-option82-00.html

Hello

Maybe I am confused now - so to confirm you Wish for the Ap to receive address from the rogue dhcp server but not wifi clients assoicated with the AP

Res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

just to be clear:

1. AP1 serves as DHCP server and it should only assign IPs to wireless devices (laptops).

2. The rogue DHCP server should only assign IPs to non-wireless devices (PCs).

@gpauwen: thanks for the tip, I will look after this option :)

So you wrote:

"The idea is that the DHCP server only gives out IP addresses to requests that contain option 82 parameters, which you can configure on the AP."

I only have CLI access to the APs but this guide focuses on using WLCs with GUI. That helps me not so much.

Additonally, there isn't a relay agent configured on AP1 as it's in the same subnet as the clients - no off-subnet DHCP servers present.

Hi guys,

in the meantime it seems we will solve the issue by asking the customer to configure the switch.

We offered two options:

1. Configure an additional VLAN on the segment

2. Deny all DHCP traffic on both APs inbound and configure each of them as DHCP server by dividing the assignable DHCP pool by 2.

Anyway, thank you very much for your support! :)

Review Cisco Networking for a $25 gift card