Looking for a way to detect a rogue DHCP server

rickg · ‎03-07-2002

I am hoping there is some type of logging on my router I can turn on to send a trap to my NMS so I can be alerted via email or paging. If not thru my router I am open to other solutions.

Erick Bergquist · ‎03-07-2002

Are you looking for a way to send a trap when a rogue server is present? I don't reliably know of a way to detect a rogue DHCP server placed on the network.

There are ways to only allow DHCP responses from certain IPs. You could add a log keyword to the end of the deny access-list to generate log entries on denied packets which you could fwd as a trap or syslog.

You could do this on the router:

access-list 111 permit udp host 1.2.3.4 any eq 68

access-list 111 deny udp any any eq 68

acesss-list 111 permit ip any any

That only permits DHCP responses from IP 1.2.3.4 and permits all other IP traffic.

The downfall to putting the ACL on the routed interface is it doesn't block someone from putting a DHCP server in on the LAN where the existing DHCP users are.

If you have a Cat 6000 series switch with right hardware (PFC) you can use VACLs and block it right at the switch. Pretty much same concept as above. See the URL below for VACL sample for this:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_5_4/msfc/acc_list.htm#xtocid1006436

glen.grant · ‎03-08-2002

If you know about when this happens you can try and see it via something like debug dhcp , this might tell you something . Obviously if you have a very busy processor I would not do this , if it's low it shouldn't be a problem . how do you know you have a rogue server to begin with ? If you have address it should be pretty easy to track it down.