06-24-2009 07:25 AM - edited 03-06-2019 06:26 AM
I am trying to find a dhcp rogue server on a 3750. I am suspecting that the device is connected to a couple of switch stacks. I tried to use the dhcp snooping option but i cant see the table being build. I dont run dhcp pool on switches, I use ip helper dhcp server Ip address on the cores. I have enabled dhcp only on the access switches. the following are the commands used :
conf t
ip dhcp snooping
ip dhcp snooping vlan X
please let me know if I am missing anything here. I have an ipbase image on the 3750s is that the problem?
06-24-2009 08:14 AM
Hello Prakadeesh,
if there are users Pcs affected ask them to open a shell and then have them perform
ipconfig /all
arp -g
then look for the mac address of the fake GW on the cam tables of your switches it has to be on the same vlan of the affected user.
Be aware that there are also some virus worms that turn an infected PC in a DHCP rogue server passing wrong information.
Hope to help
Giuseppe
06-24-2009 08:34 AM
Prakadeesh,
You need to add "ip dhcp snooping trust " on the interfaces that dhcp server packets coming in. In your case you have to add this command on the uplinks to Coreswitch(ip helper is there).
Please check out this link : http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swdhcp82.html#wp1058243
Hopes I correctly understand your question.
Toshi
06-25-2009 03:26 AM
Guiseppe will have to remember that arp -g trick on a machine that is having a problem . Learn something new everyday :-)
06-24-2009 08:35 AM
You are missing some other guidelines:
If a switch port is connected to a DHCP server or to another switch|router, configure a port as trusted by entering the ip dhcp snooping trust interface configuration command.
â¢If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command.
HTH,
__
Edison.
06-24-2009 11:25 PM
Hello all,
Thanks for the reply and guidance, I was about to check the arp table on the machines, but some one tried a iprenew and the pc picked up a proper dhcp. The problem also seems very intermittent to. will try out your guidelines. Just a quick question is dhcp snooping only present in Enhanced feature set or IPbase?
06-25-2009 04:45 AM
06-30-2009 02:11 AM
Hello Folks,
I have managed to find the dhcp rogue and removed it. Thanks for all your support. I am planning to implement the IP DHCP snooping trust and untrusted ports on all our edge switches C3750, but I am a bit concerned about the CPU utilisation on the switch stack. Please let me know your thoughts if it will do more good or bad?
Thanks,
Prakadeesh
06-30-2009 10:57 AM
The process runs completely in hardware and it will not affect your CPU.
__
Edison.
07-01-2009 07:25 AM
Thanks Edison,
Thats a relief. I am planning to configure dhcp snooping on all the edge switch end user ports as untrusted and the uplink trunk ports to the core switch as trusted. The dhcp servers are connected to core switches. Now have a couple of queries, please help with this:
1.Should the downstream link on the cores that connect to these access switch needs to be configured as trusted too? Does that mean dhcp snooping should be globally enabled on the cores as well?
2.Is a database agent absolutely needed on the access switch? I understand that the agent helps in rebuilding the database after reload. But if the agent is not present does that mean that none of the egde ports will be able to get DHCP again?
Please help with this,
Thanks,
07-01-2009 10:33 AM
1. Yes and Yes.
2. The snooping database is dynamically created when DHCP snooping is enabled and it captures all the unstrusted interface information. You can't have snooping enabled without the binding database.
__
Edison.
07-02-2009 12:36 AM
Thanks again Edison,
Since I dont want the cores to buld up any database, I will just configure dhcp snooping globally and just configure the downstream links as trusted. But in the access switches, I will enable the dhcp snooping globally, and the snooping for all the vlans as well as the trusted and untrusted port. Hope my understanding is clear.
thanks,
Prakadeesh
07-02-2009 05:18 AM
Your understanding is not correct.
Enabling DHCP Snooping globally will automatically set all switchports on untrusted mode hence creating the database to maintain a state for those switchports.
I don't understand the angst on the database, it does not cause any CPU issue.
07-06-2009 05:14 AM
Thanks Edison,
The only issue I had with the database was that we cant use the NVRAM for that( because we may overrun the free space) so, you will have to point the database somewhere else like tftp server or like that. In that case when the switch reloads the database is reloaded from the tftp as NVRAM database could be lost( I assume) .
-thanks
deesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide