DHCP rogue server

Unanswered Question
Jun 24th, 2009
User Badges:

I am trying to find a dhcp rogue server on a 3750. I am suspecting that the device is connected to a couple of switch stacks. I tried to use the dhcp snooping option but i cant see the table being build. I dont run dhcp pool on switches, I use ip helper dhcp server Ip address on the cores. I have enabled dhcp only on the access switches. the following are the commands used :

conf t

ip dhcp snooping

ip dhcp snooping vlan X


please let me know if I am missing anything here. I have an ipbase image on the 3750s is that the problem?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Wed, 06/24/2009 - 08:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Prakadeesh,


if there are users Pcs affected ask them to open a shell and then have them perform


ipconfig /all


arp -g


then look for the mac address of the fake GW on the cam tables of your switches it has to be on the same vlan of the affected user.


Be aware that there are also some virus worms that turn an infected PC in a DHCP rogue server passing wrong information.


Hope to help

Giuseppe


thotsaphon Wed, 06/24/2009 - 08:34
User Badges:
  • Gold, 750 points or more

Prakadeesh,

You need to add "ip dhcp snooping trust " on the interfaces that dhcp server packets coming in. In your case you have to add this command on the uplinks to Coreswitch(ip helper is there).

Please check out this link : http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swdhcp82.html#wp1058243


Hopes I correctly understand your question.

Toshi

glen.grant Thu, 06/25/2009 - 03:26
User Badges:
  • Purple, 4500 points or more

Guiseppe will have to remember that arp -g trick on a machine that is having a problem . Learn something new everyday :-)

Edison Ortiz Wed, 06/24/2009 - 08:35
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You are missing some other guidelines:


If a switch port is connected to a DHCP server or to another switch|router, configure a port as trusted by entering the ip dhcp snooping trust interface configuration command.


•If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command.


HTH,


__


Edison.

prakadeesh Wed, 06/24/2009 - 23:25
User Badges:

Hello all,


Thanks for the reply and guidance, I was about to check the arp table on the machines, but some one tried a iprenew and the pc picked up a proper dhcp. The problem also seems very intermittent to. will try out your guidelines. Just a quick question is dhcp snooping only present in Enhanced feature set or IPbase?


prakadeesh Tue, 06/30/2009 - 02:11
User Badges:

Hello Folks,


I have managed to find the dhcp rogue and removed it. Thanks for all your support. I am planning to implement the IP DHCP snooping trust and untrusted ports on all our edge switches C3750, but I am a bit concerned about the CPU utilisation on the switch stack. Please let me know your thoughts if it will do more good or bad?


Thanks,

Prakadeesh

Edison Ortiz Tue, 06/30/2009 - 10:57
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The process runs completely in hardware and it will not affect your CPU.


__


Edison.

prakadeesh Wed, 07/01/2009 - 07:25
User Badges:

Thanks Edison,


Thats a relief. I am planning to configure dhcp snooping on all the edge switch end user ports as untrusted and the uplink trunk ports to the core switch as trusted. The dhcp servers are connected to core switches. Now have a couple of queries, please help with this:


1.Should the downstream link on the cores that connect to these access switch needs to be configured as trusted too? Does that mean dhcp snooping should be globally enabled on the cores as well?


2.Is a database agent absolutely needed on the access switch? I understand that the agent helps in rebuilding the database after reload. But if the agent is not present does that mean that none of the egde ports will be able to get DHCP again?


Please help with this,


Thanks,


Edison Ortiz Wed, 07/01/2009 - 10:33
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

1. Yes and Yes.


2. The snooping database is dynamically created when DHCP snooping is enabled and it captures all the unstrusted interface information. You can't have snooping enabled without the binding database.


__


Edison.

prakadeesh Thu, 07/02/2009 - 00:36
User Badges:

Thanks again Edison,


Since I dont want the cores to buld up any database, I will just configure dhcp snooping globally and just configure the downstream links as trusted. But in the access switches, I will enable the dhcp snooping globally, and the snooping for all the vlans as well as the trusted and untrusted port. Hope my understanding is clear.


thanks,

Prakadeesh


Edison Ortiz Thu, 07/02/2009 - 05:18
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Your understanding is not correct.


Enabling DHCP Snooping globally will automatically set all switchports on untrusted mode hence creating the database to maintain a state for those switchports.


I don't understand the angst on the database, it does not cause any CPU issue.



prakadeesh Mon, 07/06/2009 - 05:14
User Badges:

Thanks Edison,


The only issue I had with the database was that we cant use the NVRAM for that( because we may overrun the free space) so, you will have to point the database somewhere else like tftp server or like that. In that case when the switch reloads the database is reloaded from the tftp as NVRAM database could be lost( I assume) .


-thanks

deesh

Actions

This Discussion