02-28-2023 11:36 PM
Hello experts,
I have configured the DHCP scope for different VLANs on my core switch. I also enabled DHCP snooping for specific VLANs.
Yesterday we had the problem that a rouge DHCP server was connected to a port on the Access Switch and caused downtime for spcific vlans and switch log was full of IP conflict messages.
Do you have any idea how to prevent this kind of attack or blockage?
Thank you.
Best regards
03-01-2023 01:36 AM
>...and caused downtime for spcific vlans and switch log was full of IP conflict messages.
Post logs observed related to these two items you are experiencing ,
M.
03-01-2023 02:08 AM
Here the logs:
Feb 27 11:03:50.221: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.31.
Feb 27 11:04:12.676: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.32.
Feb 27 11:04:35.157: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.33.
Feb 27 11:05:04.437: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.34.
Feb 27 11:05:23.886: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.36.
Feb 27 11:06:01.294: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.38.
Feb 27 11:06:23.183: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.41.
Feb 27 11:06:45.649: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.42.
Feb 27 12:34:37.160: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.97.
Feb 27 12:35:02.494: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.103.
Feb 27 12:35:27.543: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.104.
Feb 27 12:35:52.594: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.105.
Feb 27 12:36:10.141: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.106.
Feb 27 12:36:11.268: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 019c.2976.194d.3f declined 10.95.92.107.
Feb 27 12:36:29.235: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 019c.2976.194d.3f declined 10.95.92.108.
Feb 27 12:36:35.375: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.109.
Feb 27 12:36:46.405: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 019c.2976.194d.3f declined 10.95.92.110.
Feb 27 12:37:00.061: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.111.
Feb 27 12:37:40.352: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.113.
I findout the port with mac address(016c.02e0.b7d6.b9), and shutdown the port and now logs are not coming.
My question is: how to prvent this kind of outage in future ?
03-01-2023 02:20 AM
Try use DAI which make SW block ARP from the port.
03-01-2023 02:27 AM
- Add ip dhcp snooping verify mac-address to the switch configuration , check if that can help ,
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide