cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1107
Views
0
Helpful
3
Replies

Create ACL for DHCP Server

jdonahue111
Level 1
Level 1

After repeated calls from users complaining about duplicate IP address messages we set out to find the rogue DHCP server that is giving out IP addresses in the same scope that our Windows DHCP server is configured to hand out.  (172.16.1.1 to 172.16.7.254)  Using a Microsoft approved utility called DHCPFind  to locate the rogue DHCP server.  The utility  shows both our DHCP server (172.16.1.1) and another device  with IP address of 72.67.46.108 responding to DHCP requests from our inside clients offering ip addresses in the same ip range. Note that the device is giving out addresses in the  172.16.1.1 to 172.16.1.255 range as well, despite the fact that range is excluded and used as reserved static ip addresses to assign.  This is causing issues with internet access from servers that have static addresses when a duplicate address is handed out by rogue DHCP device.  If there is a way to block that ip address from getting and responding to the clients requesting IP addresses we could focus on finding where the rogue device is plugged in. It could be a port on one of the 22 switches or it could be connected wirelessly to any of the 74 APs we have that are giving out addresses from our Windows DHCP server.  We are puzzled over how a device with that address 72.67.46.108 could intercept  Dhcp requests in the first place.  Could the rogue device's ip address be user as an alias for an IP address it was given by our DHCP server when it connected?  We thought Windows policy restrictions would keep windows clients from accepting DHCP addresses from anything  but the Window DHCP server but that doesn't matter.  The rogues device is handing out  IP address to iphones, android phones, MacBooks, IPads, and Windows workstations. Our efforts would be focused on finding and eliminating the device but we just deployed the new Cisco 4500 core switches and the 3650, 3560, and 2950's switches scattered throughout 14 buildings last year but we unexpectantly lost our Cisco guru to illness and have just begun to advertise the open position on Monday.  So we are basically beginners with Cisco IOS commands and current staff have had limited training using Firesight and can only do specific tasks using ASDM. If anyone has any ideas or can give us some direction on blocking this device or even suggestions on how we can find where it is on the network it would be greatly appreciated.  Thanks in advance.I have attached the information that the DHCP Find utility revealed.

3 Replies 3

Milos Megis
Level 3
Level 3

Hi,
try use DHCP snooping feature. It should solve your issue without need to find rogue DHCP.
Only your DHCP server will be on trusted port. And replies from rogue DHCP (on untrusted port) will be dropped.

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_dhcpsnoop.html

tried following the instructions from the link to enable dhcp snooping however after typing in

config t  I got to the Switch(config)# prompt but none of the other commands were recognized.

example Show running-config dhcp had the syntax being incorrect at

Show running-config dhcp     then feature dhcp  showed it was incorrect here  feature dhcp

    ^                                                                                                                ^

I used putty to access the switch what am I doing wrong or is it something that doesn't work with

                                                                                                                        

catalyst 4500 core  or  ASA 5505 Firewall

sorry, this is good configuration example:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Also if you are in "Switch(config)#" dialog, you must enter "do" command before any "show" command.
And you don´t need "feature dhcp..." command. You enable it with "ip dhcp snooping" command, but another configuration is then required for proper working.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: