Rogue DHCP Server

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Create Date: Mar 26 2012 9:36AM

What is the best way to track down a rogue DHCP server in an Extreme switch environment. I've done it many times in a Cisco environment, but assigning a secondary IP to a router interface, pinging the bad default gateway, and then digging through the mac-address tables on each switch to find the connected port. The problem I'm having is that I can't successfully ping the gateway address from a host that recieved the bad IP assigment. As a result I cannot find the server. I believe that the server may be built into some automation software that one team runs, but I'm having a hard time verifying that.

Also, what is the syntax to enable DHCP snooping on an extreme switch?

-NB

(from N_B)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 26 2012 11:16AM

<p> By default DHCP snooping is disabled on the switch. To enable DHCP snooping on the switch, use the</p>
<div>following command:</div>
<div>enable ip-security dhcp-snooping {vlan} <vlan_name> ports [all | <ports>] violationaction[drop-packet {[block-mac | block-port] [duration <duration_in_seconds> |permanently] | none]}] {snmp-trap}</div>

(from Arpit_Bhatt)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 26 2012 11:19AM

Configure a Trusted DHCP server and the switch will only forward packets from the Trusted server. Go through "DHCP Snooping and Trusted DHCP Server" in the concepts guide and that should help you.



Let me know if that works for you.

(from Arpit_Bhatt)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 26 2012 11:25AM

Once DHCP snooping and trusted server are enabled you can use the command show ip-security dhcp-snooping violations to see where the rogue DHCP packet was received.

(from Paul_Russo)
Photo of Johan Hendrikx

Johan Hendrikx

  • 3,040 Points 3k badge 2x thumb

You can also create an alarm in Netsight:

Add this section in trapd.conf and create the alarm.


EVENT extremeIpSecurityViolation .1.3.6.1.4.1.1916.1.34.1.0.1 "Status Alarms" Critical

FORMAT Rogue DHCP server on vlan $2

SDESC

"IP Security Violation"

EDESC

(Edited)

This conversation is no longer open for comments or replies.