cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3807
Views
0
Helpful
17
Replies

How to protect from a unauthorized SOHO router?

Hi

If it's possible, how do you protect/block a unauthorized DHCP SOHO router with NAT form a Cisco 3750?

Thanks

Kasper

17 Replies 17

cadet alain
VIP Alumni
VIP Alumni

Hi,

can you explain exactly what you want to do and post a diagram.

Regards.

Alain

Don't forget to rate helpful posts.

Our network is open with no user logins, we protect the switches from faulty configured hosts and rouge serveres. But we can't figure out how to protect from a unauthorized non cisco router.

ip dhcp snooping vlan 615

no ip dhcp snooping information option

ip dhcp snooping database flash:dhcp-binding

ip dhcp snooping

ip arp inspection vlan 615

ip arp inspection log-buffer entries 1024

ip arp inspection log-buffer logs 1024 interval 10

!

errdisable recovery cause all

errdisable recovery interval 30

spanning-tree mode pvst

spanning-tree portfast default

spanning-tree portfast bpduguard default

spanning-tree portfast bpdufilter default

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

vlan 615

!

interface range FastEthernet1/0/1 -24

description ***HOST-ACCESS***

switchport access vlan 615

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 1

ip arp inspection limit rate 100

priority-queue out

storm-control broadcast level pps 5k 2k

storm-control multicast level pps 5k 2k

storm-control action shutdown

!

Hi,

I think you should create an extended IP ACL to permit established traffic that initiated from your network and block all traffic from outside.

Another solution is to use the source and destination MAC addresses in ACL to block inbound on the port that soho connects to.

Maybe this will help

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_58_se/configuration/guide/swacl.html#wp1715468

Eugen

Hi Eugen

It looks promising I see the idea, could I behaps get some confirguration examples from you based on my diagram?

Thank you very much

Regards

Kasper

Hi Kasper,

There are many ways to do this:

1. Give SOHO a static IP address and all the settings it gets from DHCP server.

2. Set up a MAC filtering list on 3750:

     mac access-list extended filterSOHO

     deny host ________(MAC address of SOHO interface) any

     permit any any (this statement is optional, if SOHO MAC changes, the access will be permited again)

  On the 3750 interface connected to SOHO enter

        mac access-group filterSOHO in

Second option:

1. Give SOHO a static IP address and all settings it gets from DHCP server(if not just add a permit statement to ACL for dhcp traffic)

2. Create an extended ACL

     access-list 110 permit tcp host 172.16.0.51 any any established

     access-list 110 permit tcp host 172.16.0.51 host 172.16.0.1 eg dhcp (optional if you still want SOHO to get DHCP      settings from server)

      access-list 110 deny host 172.16.0.51 any any

On the 3750 interface connected to SOHO enter

     ip access-group 110 in 

If this helps mark it as answered

But what if I don't know the address of the SOHO router? If someone just plug in a HP SOHO router, then you cant't see from the switch, if it's a computer or a router with a new subnet behind?

But what if I don't know the address of the SOHO router? If someone just plug in a HP SOHO router,

You want to protect your network from someone who might stick an un-authorized router into your LAN switch?  Try AUTOSMARTPORT.

Than you should put that port on your 3750 into a dead end vlan, a vlan that you don't use inside your netwrok.

Hope this helps

Eugen

leolaohoo wrote:

But what if I don't know the address of the SOHO router? If someone just plug in a HP SOHO router,

You want to protect your network from someone who might stick an un-authorized router into your LAN switch?  Try AUTOSMARTPORT.

That's exactly what I mean, You never know where they are and what IP address they have, because the hidden router looks just like a ordinary computer. But there must be a other workaround to solve the issue? the mentioned "Autosmartport" does not seem to work on a 3750 only 3750X and greater.

 "Autosmartport" does not seem to work on a 3750 only 3750X and greater.

Yes it does.  What IOS is your 3750?  Autosmartport has been in since IOS version 12.2(50)SE.  If you want to upgrade your 3750 to this version, I'd personally recommend you to try out IOS version 12.2(55)SE4 instead.

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting


If you want to preclude the SOHO router from joining your network as a router, there are multiple methods, but if you're trying to block a router that appears as a single IP (host) to your network, takes some work.  The most effective method appears to be tunnel authentication between a host and the edge port, next effective is edge port authentication to host (wired version of 802.1x), next might be known MAC per port.  In theory, you might also be able to "fingerprint" the NIC/OS by its behavior (i.e. a NAT SOHO might "look" just a little different from your real PCs).

This is similar problem to SOHO wireless APs, athough with those you might detect them or their downsteam clients on the RF side.

JosephDoherty wrote:

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting


If you want to preclude the SOHO router from joining your network as a router, there are multiple methods, but if you're trying to block a router that appears as a single IP (host) to your network, takes some work.  The most effective method appears to be tunnel authentication between a host and the edge port, next effective is edge port authentication to host (wired version of 802.1x), next might be known MAC per port.  In theory, you might also be able to "fingerprint" the NIC/OS by its behavior (i.e. a NAT SOHO might "look" just a little different from your real PCs).

This is similar problem to SOHO wireless APs, athough with those you might detect them or their downsteam clients on the RF side.

As you say I'm trying to block a router that appears as a single IP but also as a single MAC. Can you please give me some more details on the tunnel or port authentication method?

Disclaimer

The    Author of this posting offers the information contained within this    posting without consideration and with the reader's understanding that    there's no implied or expressed suitability or fitness for any  purpose.   Information provided is for informational purposes only and  should not   be construed as rendering professional advice of any kind.  Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In    no event shall Author be liable for any damages whatsoever  (including,   without limitation, damages for loss of use, data or  profit) arising  out  of the use or inability to use the posting's  information even if  Author  has been advised of the possibility of such  damage.

Posting


Combat Support Wing ESKseksfemten wrote:

As you say I'm trying to block a router that appears as a single IP but also as a single MAC. Can you please give me some more details on the tunnel or port authentication method?

Actually, not sure Cisco supports the tunnel method, but they do support (on some devices) wired 802.1x.

You might start with: http://www.cisco.com/en/US/products/ps6638/products_ios_protocol_group_home.html for Cisco solutions to this issue.

rizwanr74
Level 7
Level 7

First you indentify your actual DHCP Server port and apply “ip dhcp snooping trust”

interface GigabitEthernet1/0/1

Description My DHCP Server

ip dhcp snooping trust

And then apply this command on global config mode.

ip dhcp snooping.

This should take your problem.

thanks

Rizwan Rafeek

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: