Hi,try use DHCP snooping

jdonahue111 · ‎03-23-2017

After repeated calls from users complaining about duplicate IP address messages we set out to find the rogue DHCP server that is giving out IP addresses in the same scope that our Windows DHCP server is configured to hand out. (172.16.1.1 to 172.16.7.254) Using a Microsoft approved utility called DHCPFind to locate the rogue DHCP server. The utility shows both our DHCP server (172.16.1.1) and another device with IP address of 72.67.46.108 responding to DHCP requests from our inside clients offering ip addresses in the same ip range. Note that the device is giving out addresses in the 172.16.1.1 to 172.16.1.255 range as well, despite the fact that range is excluded and used as reserved static ip addresses to assign. This is causing issues with internet access from servers that have static addresses when a duplicate address is handed out by rogue DHCP device. If there is a way to block that ip address from getting and responding to the clients requesting IP addresses we could focus on finding where the rogue device is plugged in. It could be a port on one of the 22 switches or it could be connected wirelessly to any of the 74 APs we have that are giving out addresses from our Windows DHCP server. We are puzzled over how a device with that address 72.67.46.108 could intercept Dhcp requests in the first place. Could the rogue device's ip address be user as an alias for an IP address it was given by our DHCP server when it connected? We thought Windows policy restrictions would keep windows clients from accepting DHCP addresses from anything but the Window DHCP server but that doesn't matter. The rogues device is handing out IP address to iphones, android phones, MacBooks, IPads, and Windows workstations. Our efforts would be focused on finding and eliminating the device but we just deployed the new Cisco 4500 core switches and the 3650, 3560, and 2950's switches scattered throughout 14 buildings last year but we unexpectantly lost our Cisco guru to illness and have just begun to advertise the open position on Monday. So we are basically beginners with Cisco IOS commands and current staff have had limited training using Firesight and can only do specific tasks using ASDM. If anyone has any ideas or can give us some direction on blocking this device or even suggestions on how we can find where it is on the network it would be greatly appreciated. Thanks in advance.I have attached the information that the DHCP Find utility revealed.

Milos Megis · ‎03-26-2017

Hi,
try use DHCP snooping feature. It should solve your issue without need to find rogue DHCP.
Only your DHCP server will be on trusted port. And replies from rogue DHCP (on untrusted port) will be dropped.

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_dhcpsnoop.html

jdonahue111 · ‎03-27-2017

tried following the instructions from the link to enable dhcp snooping however after typing in

config t I got to the Switch(config)# prompt but none of the other commands were recognized.

example Show running-config dhcp had the syntax being incorrect at

Show running-config dhcp then feature dhcp showed it was incorrect here feature dhcp

^ ^

I used putty to access the switch what am I doing wrong or is it something that doesn't work with

catalyst 4500 core or ASA 5505 Firewall

Milos Megis · ‎03-28-2017

sorry, this is good configuration example:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Also if you are in "Switch(config)#" dialog, you must enter "do" command before any "show" command.
And you don´t need "feature dhcp..." command. You enable it with "ip dhcp snooping" command, but another configuration is then required for proper working.

Create ACL for DHCP Server