01-21-2012 11:43 AM - edited 03-07-2019 04:28 AM
Hi
If it's possible, how do you protect/block a unauthorized DHCP SOHO router with NAT form a Cisco 3750?
Thanks
Kasper
01-21-2012 01:16 PM
Hi,
can you explain exactly what you want to do and post a diagram.
Regards.
Alain
01-23-2012 12:30 AM
Our network is open with no user logins, we protect the switches from faulty configured hosts and rouge serveres. But we can't figure out how to protect from a unauthorized non cisco router.
ip dhcp snooping vlan 615
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcp-binding
ip dhcp snooping
ip arp inspection vlan 615
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
!
errdisable recovery cause all
errdisable recovery interval 30
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan 615
!
interface range FastEthernet1/0/1 -24
description ***HOST-ACCESS***
switchport access vlan 615
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 1
ip arp inspection limit rate 100
priority-queue out
storm-control broadcast level pps 5k 2k
storm-control multicast level pps 5k 2k
storm-control action shutdown
!
01-23-2012 03:41 AM
Hi,
I think you should create an extended IP ACL to permit established traffic that initiated from your network and block all traffic from outside.
Another solution is to use the source and destination MAC addresses in ACL to block inbound on the port that soho connects to.
Maybe this will help
Eugen
01-23-2012 11:45 AM
Hi Eugen
It looks promising I see the idea, could I behaps get some confirguration examples from you based on my diagram?
Thank you very much
Regards
Kasper
01-23-2012 06:06 PM
Hi Kasper,
There are many ways to do this:
1. Give SOHO a static IP address and all the settings it gets from DHCP server.
2. Set up a MAC filtering list on 3750:
mac access-list extended filterSOHO
deny host ________(MAC address of SOHO interface) any
permit any any (this statement is optional, if SOHO MAC changes, the access will be permited again)
On the 3750 interface connected to SOHO enter
mac access-group filterSOHO in
Second option:
1. Give SOHO a static IP address and all settings it gets from DHCP server(if not just add a permit statement to ACL for dhcp traffic)
2. Create an extended ACL
access-list 110 permit tcp host 172.16.0.51 any any established
access-list 110 permit tcp host 172.16.0.51 host 172.16.0.1 eg dhcp (optional if you still want SOHO to get DHCP settings from server)
access-list 110 deny host 172.16.0.51 any any
On the 3750 interface connected to SOHO enter
ip access-group 110 in
If this helps mark it as answered
01-24-2012 10:29 AM
But what if I don't know the address of the SOHO router? If someone just plug in a HP SOHO router, then you cant't see from the switch, if it's a computer or a router with a new subnet behind?
01-24-2012 01:17 PM
But what if I don't know the address of the SOHO router? If someone just plug in a HP SOHO router,
You want to protect your network from someone who might stick an un-authorized router into your LAN switch? Try AUTOSMARTPORT.
01-24-2012 09:38 PM
Than you should put that port on your 3750 into a dead end vlan, a vlan that you don't use inside your netwrok.
Hope this helps
Eugen
01-25-2012 10:47 AM
leolaohoo wrote:
But what if I don't know the address of the SOHO router? If someone just plug in a HP SOHO router,You want to protect your network from someone who might stick an un-authorized router into your LAN switch? Try AUTOSMARTPORT.
That's exactly what I mean, You never know where they are and what IP address they have, because the hidden router looks just like a ordinary computer. But there must be a other workaround to solve the issue? the mentioned "Autosmartport" does not seem to work on a 3750 only 3750X and greater.
01-25-2012 02:17 PM
"Autosmartport" does not seem to work on a 3750 only 3750X and greater.
Yes it does. What IOS is your 3750? Autosmartport has been in since IOS version 12.2(50)SE. If you want to upgrade your 3750 to this version, I'd personally recommend you to try out IOS version 12.2(55)SE4 instead.
01-25-2012 10:55 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
If you want to preclude the SOHO router from joining your network as a router, there are multiple methods, but if you're trying to block a router that appears as a single IP (host) to your network, takes some work. The most effective method appears to be tunnel authentication between a host and the edge port, next effective is edge port authentication to host (wired version of 802.1x), next might be known MAC per port. In theory, you might also be able to "fingerprint" the NIC/OS by its behavior (i.e. a NAT SOHO might "look" just a little different from your real PCs).
This is similar problem to SOHO wireless APs, athough with those you might detect them or their downsteam clients on the RF side.
01-25-2012 11:13 AM
JosephDoherty wrote:
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
If you want to preclude the SOHO router from joining your network as a router, there are multiple methods, but if you're trying to block a router that appears as a single IP (host) to your network, takes some work. The most effective method appears to be tunnel authentication between a host and the edge port, next effective is edge port authentication to host (wired version of 802.1x), next might be known MAC per port. In theory, you might also be able to "fingerprint" the NIC/OS by its behavior (i.e. a NAT SOHO might "look" just a little different from your real PCs).
This is similar problem to SOHO wireless APs, athough with those you might detect them or their downsteam clients on the RF side.
As you say I'm trying to block a router that appears as a single IP but also as a single MAC. Can you please give me some more details on the tunnel or port authentication method?
01-25-2012 01:18 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Combat Support Wing ESKseksfemten wrote:
As you say I'm trying to block a router that appears as a single IP but also as a single MAC. Can you please give me some more details on the tunnel or port authentication method?Actually, not sure Cisco supports the tunnel method, but they do support (on some devices) wired 802.1x.
You might start with: http://www.cisco.com/en/US/products/ps6638/products_ios_protocol_group_home.html for Cisco solutions to this issue.
01-25-2012 11:37 AM
First you indentify your actual DHCP Server port and apply “ip dhcp snooping trust”
interface GigabitEthernet1/0/1
Description My DHCP Server
ip dhcp snooping trust
And then apply this command on global config mode.
ip dhcp snooping.
This should take your problem.
thanks
Rizwan Rafeek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide