Network technologies and trends » DHCP Snooping

How to detect a rouge DHCP server in your network?

Yasir Irfan — Wed, 09 Dec 2009 09:19:53 +0000

Today morning I was late to arrive at my office due to some problems, when I came I saw my colleagues were trying hard to figure out the rouge DHCP server detected in our helpdesk VLAN. All our users in the help desk and call center were getting an IP address from the Rouge DHCP server and they were not able to access our Network. I tried to figure out the physical location of the rouge DHCP server but I failed to find.

Immediately I thought let me figure out the Mac address of the rouge DHCP server so that I can block its network access.

I went one of the affected systems and from the command prompt; I used the “arp –a followed by the rouge DHCP server as show below

C:\>arp -a 192.168.142.2

Interface: 192.168.142.96 — 0xb

Internet Address Physical Address Type

192.168.142.2 00-16-35-c1-7f-cc dynamic

Once I got the Mac address, immediately I logged into a Cisco 3560 Switch connected in that area. From the privilege mode I used “show mac-address table” command to figure out the interface in which the rouge DHCP is connected.

RRBM-ITD-3560-AS01#sho mac address-table

Mac Address Table

——————————————-

Vlan Mac Address Type Ports

—- ———– ——– —–

All 0100.0ccc.cccc STATIC CPU

All 0100.0ccc.cccd STATIC CPU

All ffff.ffff.ffff STATIC CPU

129 0000.0c07.ac3a DYNAMIC Gi0/52

129 0002.e356.9cfa DYNAMIC Gi0/52

129 0002.e356.a78f DYNAMIC Gi0/39

129 000e.7fd8.6cff DYNAMIC Gi0/7

129 000f.fe0a.1ff7 DYNAMIC Gi0/22

129 0016.35c1.7fcc DYNAMIC Gi0/36

129 000f.fe6f.5d5c DYNAMIC Gi0/52

129 000f.fe6f.5e46 DYNAMIC Gi0/52

129 000f.fe93.d890 DYNAMIC Gi0/8

129 000f.fe93.fcb0 DYNAMIC Gi0/7

129 000f.fe93.fcb8 DYNAMIC Gi0/52

129 000f.fe96.0920 DYNAMIC Gi0/38

129 000f.fe96.5478 DYNAMIC Gi0/52

RRBM-ITD-3560-AS01#

Once I detected the interface to which the rouge DHCP sever connected, I disabled the interface in the Cisco 3560 Switch.

RRBM-ITD-3560-AS01# configure t

Enter configuration commands, one per line. End with CNTL/Z.

RRBM-ITD-3560-AS01(config)#interface gigabitEthernet 0/36

RRBM-ITD-3560-AS01(config-if)#shutdown

RRBM-ITD-3560-AS01(config-if)#description ROUGE DHCP

RRBM-ITD-3560-AS01(config-if)#exit

RRBM-ITD-3560-AS01#

To prevent this from happening I configured the DHCP snooping in the Cisco 3560 Switch.

After careful inspection we figured out the rouge DHCP sever was running in a Virtual Machine, one of our aspiring professional was testing Active directory and DHCP services in a Virtual Windows 2003 Server.

Whenever you come across this kind of situation doesn’t panic just try to troubleshoot the problem in a systematic way. Just by following few simple steps you can eliminate this problem.

The keys steps

Step 1 – Figure out the MAC address using the “arp –a” followed by ip address of the rouge DHCP server from the affected PC.

Step 2- Log into your Switch and figure out the interface to which the rouge DHCP server is connected “Show mac-address table” (Cisco IOS Switches).

Step 3- Disable the interface connected to the rouge DHCP server in your Switch “shutdown” (Cisco IOS Switches).

Step 4 – Take precaution by configuring DHCP snooping in your Network.

What is Dynamic ARP Inspection (DAI) ?

Yasir Irfan — Wed, 26 Nov 2008 05:59:35 +0000

Dynamic ARP inspection is a security feature which validates ARP packet in a network. Dynamic ARP inspections validates the packet by performing IP to MAC address binding inspection stored in a trusted database (the DHCP snooping database) before forwarding the packet. Dynamic ARP intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks.

Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed.

The switch performs these activities:·

Intercepts all ARP requests and responses on untrusted ports ·

Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before it updates the local ARP cache or before it forwards the packet to the appropriate destination·

Drops invalid ARP packets

How to configure DHCP Snooping in a Cisco Catalyst Switches.

Yasir Irfan — Sat, 22 Nov 2008 12:56:06 +0000

So here we go, with the configuration of DHCP snooping on a Cisco Switch. This feature protects the network by allowing the Cisco Switches to accept DHCP response message only from the authorized servers connected to the trusted interfaces in a Cisco Switch.

All Switch to Switch connections are configured as 802.1 1Q Trunk ports.

IP Address and HSRP Details for the Core Switches From the above scenario we have two Cisco 6513 Series Switches as a Core/ Distribution with three VLANS one for management of Switches VLAN 50,VLAN 100 for all the servers and VLAN 101 for clients. Two Cisco 3560 Series Switches as Server Farm Switches and a Cisco 3560 Series Switch as an Access Switch.There are two DHCP servers with an IP address 10.0.1.100 and 10.0.1.101 connected with Server Farm Switches with HP NIC teaming. We configure DHCP Snooping based on above scenario.

The first step to configure DHCP Snooping is to turn on DHCP snooping in all Cisco Switches using the “ip dhcp snooping” command.

All Cisco Switches (config)#ip dhcp snooping Second step is to configure the trusted interfaces, from the above scenario all trunk ports are configured as trusted ports as well as the interfaces G0/7,(ITKESF01 50.0.0.6), G0/17,(ITKESF02 50.0.0.7), G0/9 ITKESF01 50.0.0.6) and G0/18 ITKESF02 50.0.0.7) connected to DHCP servers with IP 10.0.1.100 and 10.0.1.101. Lets configure all trunk ports in ITKEBB01

ITKEBB01(config)#interface range gigabitEthernet 3/21 – 23

ITKEBB01 (config-if)#ip dhcp snooping trust

Now let’s configure all trunk ports in ITKEBB02

ITKEBB02(config)#interface range gigabitEthernet 3/21 – 23 ITKEBB02 (config-if)#ip dhcp snooping trust

ITKEBB02 (config)#interface gigabitEthernet 3/16

ITKEBB02 (config-if)#ip dhcp snooping trust

Now let’s configure the trusted ports for the DHCP servers

ITKESF01(config)#interface gigabitEthernet 0/7

ITKESF01 (config-if)#ip dhcp snooping trust

ITKESF01(config)#interface gigabitEthernet 0/17 ITKESF01 (config-if)#ip dhcp snooping trust

ITKESF02(config)#interface gigabitEthernet 0/9

ITKESF02 (config-if)#ip dhcp snooping trust

ITKESF02(config)#interface gigabitEthernet 0/18 ITKESF02 (config-if)#ip dhcp snooping trust

Now let’s configure the trunk ports Access Switch ITKEAS01

ITKEAS01(config)#interface range gigabitEthernet 0/49 – 52

ITKEAS01 (config-if)#ip dhcp snooping trust

Finally we are going to configure VLANS for DHCP snooping DHCP snooping will used on all the VLANs (VLAN 100 & 101)except management VLAN 50 . Also we will limit the requests rate received in the Access Switch (ITKEAS01) ALL SWITCHES(config)# ip dhcp snooping VLAN 100,101

ITKEAS01(config)#interface range gigabitEthernet 0/1 – 48

ITKEAS01 (config-if)#ip dhcp snooping limit rate 20

Displaying the DHCP snooping

For further reference please do check this article from Cisco about DHCP snooping.

Why should we consider implementing DHCP Snooping?

Yasir Irfan — Sat, 22 Nov 2008 07:22:25 +0000

Dear FriendsIn my previous post I was discussing about the DHCP Snooping, it may be hard to believe a DHCP sever can lead to lot troubles in your network. Consider a host sends out DHCP discovery packets, it listens for a DHCP offers packets and accepts the first available offer from a DHCP server. Guess what happens if the host gets a DHCP offer from a rouge DHCP server? The host could end up with using rouge DHCP server with an IP address and the default gateway. The host cannot access any of the resources from your network.

Yes we can prevent this with DHCP snooping thanks to Cisco. DHCP snooping classifies interfaces as either trusted or untrusted. DHCP messages received on trusted interfaces will be permitted to pass through the Cisco switch, but DHCP messages received on untrusted interface in a Cisco Switch results in putting the interface into error disable state. Configuring DHCP snooping in a Network is quite troublesome job but I will try to make things easier for you by using a scenario, which hopefully I am going post soon.

What is Dynamic Host Configuration Protocol (DHCP) Snooping?

Yasir Irfan — Thu, 20 Nov 2008 07:54:05 +0000

Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature which filters untrusted DHCP messages, this security feature can protects the devices on the network from associating with an unauthorized DHCP server. When the Dynamic Host Configuration Protocol (DHCP) Snooping feature is enabled on a Cisco Switch , the Cisco Switch builds a table of MAC address, IP address lease time , binding type and interface information. In coming posts I will try to explain to how to enable and configure the Dynamic Host Configuration Protocol (DHCP) snooping security feature in a Cisco Switch.