tracking down rogue dhcp servers

Unanswered Question
Sep 12th, 2007
User Badges:
  • Purple, 4500 points or more

Using the tools available on any cisco router or l3 switch what is the best way to track down someone who has stuck a nice home router on the network and it is handing out those nice 192.168. addresses to everyone on that subnet ? Any good commands or tools to track this down ?? I tried looking at the mac tables and looking for mac addreses that would point to a maker like netgear or linksy or dlink but found nothing .

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hagirebench Wed, 09/12/2007 - 18:17
User Badges:

you could use the dhcp snooping command for the switch. these way the rouge dhcp server port will shut down if it is not configured as a trusted port.

below is the explanation for DHCP Snooping:


DHCP Snooping is a Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages while untrusted ports can source requests only. Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. This feature can be coupled with DHCP Option 82, where switch information, such as the port ID of the DHCP request, can be inserted into the DHCP request packet.


Untrusted ports are those not explicitly configured as trusted. A DHCP Binding Table is built for untrusted ports. Each entry contains client MAC address, IP address, lease time, binding type, VLAN number and Port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP Snooping perspective, untrusted access ports should not send any DHCP server responses, such as DHCPOffer, DHCPAck, or DHCPNak.


Commands:

Switch(config)#ip dhcp snooping

-enables DHCP snooping globally

Switch(config-if)#ip dhcp snooping trust

-configures an interface as trusted


rgds,

ben

glen.grant Wed, 09/12/2007 - 18:44
User Badges:
  • Purple, 4500 points or more

Yeah i know you can use that to prevent it , but we don't have that implemented and just looking for any input on how to find one that is currently on the air short of using a sniffer .

rajatsetia Wed, 09/12/2007 - 21:25
User Badges:
  • Bronze, 100 points or more

Hi Glen,


On any of the desktop (which is getting IP Address from rogue server), get the dhcp server ip address with "ipconfig -all"

then check for mac address table in the router/switch to findout its mac address and port where it is connected


may be i am trying to over simplify it but lets see if this can help...


rgds

foxbatreco Wed, 09/12/2007 - 22:30
User Badges:
  • Bronze, 100 points or more

Hii..


As far as i understand frm ur question, u basically need to track down a rogue dhcp server handling out invalid IP's to users thus making network unusable right?? do correct if am wrong.

So, going by this ,wht u can do is, frm one of the affected pc's , try to find the mac of the rogue server by using arp -a command cos that server wld be responding to arp request while dishing out invalid pool ip's.

then chk on the related router/switch to track the interface and subnet it resides on.

This is the simplest way to track these rogue guys.

Hope it helps.

Please do rate as it helps us to give more valued output to all.

Actions

This Discussion