DHCP Snooping - mitigate Rogue DHCP Server in Wireless Networks

Mourad.BENAHMEDDAHO · ‎12-07-2020

Hi, Everyone!
Does the DHCP snooping also works for Wlan as well as Lan. If not, how to mitigate rogue dhcp server in wireless networks.
NB: the used wlc is 3504 series, version 8.5.
Cordialy.

marce1000 · ‎12-07-2020

- You can do that for official ssid's as explained in this document

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/37e/consolidated_guide/b_37e_consolidated_3850_cg/configuring_dhcp_for_wlans.pdf

- Of course for wireless a device does not have a single cable to follow in the network, hence the problem correlates too how to handle rogue access points , which usually will do dhcp too.... = There are numerous documents available on handling rogues.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rasika Nayanajith · ‎12-07-2020

Yes, DHCP snooping is the solution here. It works for DHCP, does not matter the client is WLAN or LAN. No specific config on WLC for it, all in upstream switch.

https://mrncciew.com/2012/12/27/understanding-dhcp-snooping/

HTH

Rasika

*** Pls rate all useful responses ***

Mourad.BENAHMEDDAHO · ‎12-28-2020

Hi, Mr Rasika!
unfortunetly, dhcp snooping on the wlan does not work!

Cordialy!

patoberli · ‎12-08-2020

Actually you typically don't need to "mitigate rogue dhcp server" on wireless, if the DHCP proxy function is enabled on the WLC. If that option is enabled, then the WLC proxies the DHCP request from each client to the configured DHCP server of the respective virtual-interface. The rogue DHCP server on Wi-Fi will never even receive a DHCP request packet.

Mourad.BENAHMEDDAHO · ‎12-21-2020

#Hi, EveryOne!

#the DHCP snooping does't work for my WLAN,
#i have the following:
#lwap <-> swA <-> swD == dhcpserver <-> wlc.

#the config i used is :

#on the swA:
ip dhcp snooping vlan X,Y #=> [x=vlan and works fine]|[y=wlan and does not work]
no ip dhcp snooping information option
ip dhcp snooping database flash:/name.txt
ip dhcp snooping wireless bootp-broadcast enable
ip dhcp snooping

#on the uplink from swA to swD
ip dhcp snooping trust

#do i miss something!

patoberli · ‎01-04-2021

Is the AP running autonomous image or lightweight?

Mourad.BENAHMEDDAHO · ‎01-04-2021

Hi Sir!
the AP is running in #lightweight mode!

Cordially!

patoberli · ‎01-04-2021

Then DHCP Snooping on that port is not needed, as the WLC is handling all DHCP requests/forwarding.

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110865-dhcp-wlc.html

The AP itself behaves like a normal client though and should be able to DHCP request its IP address (unless you use fixed addresses).

This is, if you are NOT using FlexConnect. If you are using FlexConnect with Local switching (not central switching), then the WLC will typically not proxy the DHCP requests and you might want to have snooping for all client VLANs enabled.

Mourad.BENAHMEDDAHO · ‎12-29-2020

Hi,
can all the Cisco access switches support the dhcp_snooping_for_wireless networks! whatever the IOS license is lanbase, lanlite! or Version!. If not, what are the supported IOS/version for this.
Cordially.