Re: Prvent/Block rouge DHCP server in Network

ittechk4u1 · ‎02-28-2023

Hello experts,

I have configured the DHCP scope for different VLANs on my core switch. I also enabled DHCP snooping for specific VLANs.

Yesterday we had the problem that a rouge DHCP server was connected to a port on the Access Switch and caused downtime for spcific vlans and switch log was full of IP conflict messages.

Do you have any idea how to prevent this kind of attack or blockage?

Thank you.

Best regards

marce1000 · ‎03-01-2023

>...and caused downtime for spcific vlans and switch log was full of IP conflict messages.
Post logs observed related to these two items you are experiencing ,

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

ittechk4u1 · ‎03-01-2023

Here the logs:

Feb 27 11:03:50.221: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.31.
Feb 27 11:04:12.676: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.32.
Feb 27 11:04:35.157: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.33.
Feb 27 11:05:04.437: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.34.
Feb 27 11:05:23.886: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.36.
Feb 27 11:06:01.294: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.38.
Feb 27 11:06:23.183: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.41.
Feb 27 11:06:45.649: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 016c.02e0.b7d6.b9 declined 10.95.23.42.
Feb 27 12:34:37.160: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.97.
Feb 27 12:35:02.494: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.103.
Feb 27 12:35:27.543: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.104.
Feb 27 12:35:52.594: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.105.
Feb 27 12:36:10.141: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.106.
Feb 27 12:36:11.268: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 019c.2976.194d.3f declined 10.95.92.107.
Feb 27 12:36:29.235: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 019c.2976.194d.3f declined 10.95.92.108.
Feb 27 12:36:35.375: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.109.
Feb 27 12:36:46.405: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 019c.2976.194d.3f declined 10.95.92.110.
Feb 27 12:37:00.061: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.111.
Feb 27 12:37:40.352: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0198.8d46.7cc4.73 declined 10.95.92.113.

I findout the port with mac address(016c.02e0.b7d6.b9), and shutdown the port and now logs are not coming.

My question is: how to prvent this kind of outage in future ?

MHM Cisco World · ‎03-01-2023

Try use DAI which make SW block ARP from the port.

marce1000 · ‎03-01-2023

- Add ip dhcp snooping verify mac-address to the switch configuration , check if that can help ,

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !