Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

How to protect from a unauthorized SOHO router?

Hi

If it's possible, how do you protect/block a unauthorized DHCP SOHO router with NAT form a Cisco 3750?

Thanks

Kasper

17 REPLIES
Purple

How to protect from a unauthorized SOHO router?

Hi,

can you explain exactly what you want to do and post a diagram.

Regards.

Alain

Don't forget to rate helpful posts.

Re: How to protect from a unauthorized SOHO router?

Our network is open with no user logins, we protect the switches from faulty configured hosts and rouge serveres. But we can't figure out how to protect from a unauthorized non cisco router.

ip dhcp snooping vlan 615

no ip dhcp snooping information option

ip dhcp snooping database flash:dhcp-binding

ip dhcp snooping

ip arp inspection vlan 615

ip arp inspection log-buffer entries 1024

ip arp inspection log-buffer logs 1024 interval 10

!

errdisable recovery cause all

errdisable recovery interval 30

spanning-tree mode pvst

spanning-tree portfast default

spanning-tree portfast bpduguard default

spanning-tree portfast bpdufilter default

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

vlan 615

!

interface range FastEthernet1/0/1 -24

description ***HOST-ACCESS***

switchport access vlan 615

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 1

ip arp inspection limit rate 100

priority-queue out

storm-control broadcast level pps 5k 2k

storm-control multicast level pps 5k 2k

storm-control action shutdown

!

Bronze

Re: How to protect from a unauthorized SOHO router?

Hi,

I think you should create an extended IP ACL to permit established traffic that initiated from your network and block all traffic from outside.

Another solution is to use the source and destination MAC addresses in ACL to block inbound on the port that soho connects to.

Maybe this will help

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_58_se/configuration/guide/swacl.html#wp1715468

Eugen

How to protect from a unauthorized SOHO router?

Hi Eugen

It looks promising I see the idea, could I behaps get some confirguration examples from you based on my diagram?

Thank you very much

Regards

Kasper

Bronze

Re: How to protect from a unauthorized SOHO router?

Hi Kasper,

There are many ways to do this:

1. Give SOHO a static IP address and all the settings it gets from DHCP server.

2. Set up a MAC filtering list on 3750:

     mac access-list extended filterSOHO

     deny host ________(MAC address of SOHO interface) any

     permit any any (this statement is optional, if SOHO MAC changes, the access will be permited again)

  On the 3750 interface connected to SOHO enter

        mac access-group filterSOHO in

Second option:

1. Give SOHO a static IP address and all settings it gets from DHCP server(if not just add a permit statement to ACL for dhcp traffic)

2. Create an extended ACL

     access-list 110 permit tcp host 172.16.0.51 any any established

     access-list 110 permit tcp host 172.16.0.51 host 172.16.0.1 eg dhcp (optional if you still want SOHO to get DHCP      settings from server)

      access-list 110 deny host 172.16.0.51 any any

On the 3750 interface connected to SOHO enter

     ip access-group 110 in 

If this helps mark it as answered

How to protect from a unauthorized SOHO router?

But what if I don't know the address of the SOHO router? If someone just plug in a HP SOHO router, then you cant't see from the switch, if it's a computer or a router with a new subnet behind?

Hall of Fame Super Gold

Re: How to protect from a unauthorized SOHO router?

But what if I don't know the address of the SOHO router? If someone just plug in a HP SOHO router,

You want to protect your network from someone who might stick an un-authorized router into your LAN switch?  Try AUTOSMARTPORT.

Bronze

Re: How to protect from a unauthorized SOHO router?

Than you should put that port on your 3750 into a dead end vlan, a vlan that you don't use inside your netwrok.

Hope this helps

Eugen

Re: How to protect from a unauthorized SOHO router?

leolaohoo wrote:

But what if I don't know the address of the SOHO router? If someone just plug in a HP SOHO router,

You want to protect your network from someone who might stick an un-authorized router into your LAN switch?  Try AUTOSMARTPORT.

That's exactly what I mean, You never know where they are and what IP address they have, because the hidden router looks just like a ordinary computer. But there must be a other workaround to solve the issue? the mentioned "Autosmartport" does not seem to work on a 3750 only 3750X and greater.

Hall of Fame Super Gold

Re: How to protect from a unauthorized SOHO router?

 "Autosmartport" does not seem to work on a 3750 only 3750X and greater.

Yes it does.  What IOS is your 3750?  Autosmartport has been in since IOS version 12.2(50)SE.  If you want to upgrade your 3750 to this version, I'd personally recommend you to try out IOS version 12.2(55)SE4 instead.

Super Bronze

Re: How to protect from a unauthorized SOHO router?

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting


If you want to preclude the SOHO router from joining your network as a router, there are multiple methods, but if you're trying to block a router that appears as a single IP (host) to your network, takes some work.  The most effective method appears to be tunnel authentication between a host and the edge port, next effective is edge port authentication to host (wired version of 802.1x), next might be known MAC per port.  In theory, you might also be able to "fingerprint" the NIC/OS by its behavior (i.e. a NAT SOHO might "look" just a little different from your real PCs).

This is similar problem to SOHO wireless APs, athough with those you might detect them or their downsteam clients on the RF side.

How to protect from a unauthorized SOHO router?

JosephDoherty wrote:

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting


If you want to preclude the SOHO router from joining your network as a router, there are multiple methods, but if you're trying to block a router that appears as a single IP (host) to your network, takes some work.  The most effective method appears to be tunnel authentication between a host and the edge port, next effective is edge port authentication to host (wired version of 802.1x), next might be known MAC per port.  In theory, you might also be able to "fingerprint" the NIC/OS by its behavior (i.e. a NAT SOHO might "look" just a little different from your real PCs).

This is similar problem to SOHO wireless APs, athough with those you might detect them or their downsteam clients on the RF side.

As you say I'm trying to block a router that appears as a single IP but also as a single MAC. Can you please give me some more details on the tunnel or port authentication method?

Super Bronze

Re: How to protect from a unauthorized SOHO router?

Disclaimer

The    Author of this posting offers the information contained within this    posting without consideration and with the reader's understanding that    there's no implied or expressed suitability or fitness for any  purpose.   Information provided is for informational purposes only and  should not   be construed as rendering professional advice of any kind.  Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In    no event shall Author be liable for any damages whatsoever  (including,   without limitation, damages for loss of use, data or  profit) arising  out  of the use or inability to use the posting's  information even if  Author  has been advised of the possibility of such  damage.

Posting


Combat Support Wing ESKseksfemten wrote:

As you say I'm trying to block a router that appears as a single IP but also as a single MAC. Can you please give me some more details on the tunnel or port authentication method?

Actually, not sure Cisco supports the tunnel method, but they do support (on some devices) wired 802.1x.

You might start with: http://www.cisco.com/en/US/products/ps6638/products_ios_protocol_group_home.html for Cisco solutions to this issue.

How to protect from a unauthorized SOHO router?

First you indentify your actual DHCP Server port and apply “ip dhcp snooping trust”

interface GigabitEthernet1/0/1

Description My DHCP Server

ip dhcp snooping trust

And then apply this command on global config mode.

ip dhcp snooping.

This should take your problem.

thanks

Rizwan Rafeek

How to protect from a unauthorized SOHO router?

rizwanr74 wrote:

First you indentify your actual DHCP Server port and apply “ip dhcp snooping trust”

interface GigabitEthernet1/0/1

Description My DHCP Server

ip dhcp snooping trust

And then apply this command on global config mode.

ip dhcp snooping.

This should take your problem.

thanks

Rizwan Rafeek


I think you should read the thread again, the snooping commands has nothing to do with this issue, because the problem lies on the other side of a hidden object.

New Member

Re: How to protect from a unauthorized SOHO router?

So I was recently asked about this and it appears there is not many solid answers to this question, so let me tell you how I see this issue. You have a couple of options. First of all you can statically configure mac-addresses or have them dynamically learned (sticky) for a particular switch or closet. In most corporate networks this would not solve your issue as your looking to dynamically spot a router which is layer 3. For all intensive purposes it is a host on the network. If this poses a great risk to your organization you can always adopt 802.1x, which can add an additional form of authentication mac+user/pw for any device trying to access the network, and so far as I know not many home routers could support this. You could also opt to use device certificates, trust-sec, etc. but obviously there is a cost to these things.

So to answer your question, there is no way that port security "by itself" can prevent this.

1540
Views
0
Helpful
17
Replies
CreatePlease login to create content