Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6258
Views
5
Helpful
4
Replies

tracking down rogue dhcp servers

glen.grant
VIP Alumni
VIP Alumni

‎09-12-2007 05:24 PM - edited ‎03-05-2019 06:27 PM

Using the tools available on any cisco router or l3 switch what is the best way to track down someone who has stuck a nice home router on the network and it is handing out those nice 192.168. addresses to everyone on that subnet ? Any good commands or tools to track this down ?? I tried looking at the mac tables and looking for mac addreses that would point to a maker like netgear or linksy or dlink but found nothing .

Labels:
0 Helpful
4 Replies 4

hagirebench
Level 1
Level 1

‎09-12-2007 06:17 PM

you could use the dhcp snooping command for the switch. these way the rouge dhcp server port will shut down if it is not configured as a trusted port.

below is the explanation for DHCP Snooping:

DHCP Snooping is a Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages while untrusted ports can source requests only. Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. This feature can be coupled with DHCP Option 82, where switch information, such as the port ID of the DHCP request, can be inserted into the DHCP request packet.

Untrusted ports are those not explicitly configured as trusted. A DHCP Binding Table is built for untrusted ports. Each entry contains client MAC address, IP address, lease time, binding type, VLAN number and Port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP Snooping perspective, untrusted access ports should not send any DHCP server responses, such as DHCPOffer, DHCPAck, or DHCPNak.

Commands:

Switch(config)#ip dhcp snooping

-enables DHCP snooping globally

Switch(config-if)#ip dhcp snooping trust

-configures an interface as trusted

rgds,

ben

0 Helpful

glen.grant
VIP Alumni
VIP Alumni
In response to hagirebench

‎09-12-2007 06:44 PM

Yeah i know you can use that to prevent it , but we don't have that implemented and just looking for any input on how to find one that is currently on the air short of using a sniffer .

0 Helpful

rajatsetia
Level 1
Level 1
In response to glen.grant

‎09-12-2007 09:25 PM

Hi Glen,

On any of the desktop (which is getting IP Address from rogue server), get the dhcp server ip address with "ipconfig -all"

then check for mac address table in the router/switch to findout its mac address and port where it is connected

may be i am trying to over simplify it but lets see if this can help...

rgds

0 Helpful

foxbatreco
Level 3
Level 3

‎09-12-2007 10:30 PM

Hii..

As far as i understand frm ur question, u basically need to track down a rogue dhcp server handling out invalid IP's to users thus making network unusable right?? do correct if am wrong.

So, going by this ,wht u can do is, frm one of the affected pc's , try to find the mac of the rogue server by using arp -a command cos that server wld be responding to arp request while dishing out invalid pool ip's.

then chk on the related router/switch to track the interface and subnet it resides on.

This is the simplest way to track these rogue guys.

Hope it helps.

Please do rate as it helps us to give more valued output to all.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card