Header Only - DO NOT REMOVE - Extreme Networks

Rogue DHCP Server


Userlevel 4
Create Date: Mar 26 2012 9:36AM

What is the best way to track down a rogue DHCP server in an Extreme switch environment. I've done it many times in a Cisco environment, but assigning a secondary IP to a router interface, pinging the bad default gateway, and then digging through the mac-address tables on each switch to find the connected port. The problem I'm having is that I can't successfully ping the gateway address from a host that recieved the bad IP assigment. As a result I cannot find the server. I believe that the server may be built into some automation software that one team runs, but I'm having a hard time verifying that.

Also, what is the syntax to enable DHCP snooping on an extreme switch?

-NB

(from N_B)

4 replies

Userlevel 4
Create Date: Mar 26 2012 11:16AM

By default DHCP snooping is disabled on the switch. To enable DHCP snooping on the switch, use the

following command: enable ip-security dhcp-snooping {vlan} ports [all | ] violationaction[drop-packet {[block-mac | block-port] [duration |permanently] | none]}] {snmp-trap} (from Arpit_Bhatt)
Userlevel 4
Create Date: Mar 26 2012 11:19AM

Configure a Trusted DHCP server and the switch will only forward packets from the Trusted server. Go through "DHCP Snooping and Trusted DHCP Server" in the concepts guide and that should help you.



Let me know if that works for you.

(from Arpit_Bhatt)
Userlevel 4
Create Date: Mar 26 2012 11:25AM

Once DHCP snooping and trusted server are enabled you can use the command show ip-security dhcp-snooping violations to see where the rogue DHCP packet was received.

(from Paul_Russo)
Userlevel 4
You can also create an alarm in Netsight:

Add this section in trapd.conf and create the alarm.

EVENT extremeIpSecurityViolation .1.3.6.1.4.1.1916.1.34.1.0.1 "Status Alarms" Critical

FORMAT Rogue DHCP server on vlan $2

SDESC

"IP Security Violation"

EDESC

Reply