This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: DHCP Snooping False Positives
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
DHCP Snooping False Positives
DHCP Snooping False Positives
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Dec 20 2012 11:51AM
Hello All!
I’ve been using DHCP Snooping on my corporate network and its working as I would expect, apart from a few oddities. Which I would like to point out to you guys and hopefully find people seeing similar.
The main focus is an issue we've been experiencing with Windows 7 clients sending DHCP Offer packets instead of acknowledgement/request packets. This causes DHCP snooping to kick into life and to either disable the port or drop the packet, which is what we have it set too after the issues we are seeing. This then causes a log message informing us that an untrusted source has sent a DHCP offer of 0.0.0.0, which we then get alerted on via our syslog server.
When this happens it can also take the client PC longer to obtain an IP address. The symptoms/circumstances that can cause this to happen have been tested extensively and we’ve confirmed they are consistent. However, that’s not to say it will always trigger the offer packet from the client. It is seemingly random. Generally speaking, when a laptop is moved from a private network, or another subnet within our corporate network, there’s a chance it will send a DHCP offer packet. Please see example below. Entry one, two, four and five are from the DHCP Servers. The third entry is from the client machine, sending an offer packet itself instead of a request/acknowledgement.
58476 12:56:58 16/11/2012 XXX.XXX.XXX.XXX DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58477 12:56:58 16/11/2012 XXX.XXX.XXX.XXX DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58494 12:56:58 16/11/2012 0.0.0.0 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58498 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58507 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
Previously we had set the port to block on detection of rogue DHCP Services, however, with the more wide spread rollout of Windows 7 we changed this to just drop the packet. However the frequency and volume of syslog alerts has increased as you would expect.
Basically, I’ve submitted my findings to Microsoft and they have confirmed it’s a bug in Windows 7 that was introduced with a hotfix pre-SP1. In order for them to be willing to fix it and to release a hotfix to fix the hotfix, they need to gauge the impact on businesses running Windows 7 with DHCP Snooping enabled on their network.
Please can people respond to this thread if they’ve seen some similar behaviour, even if they haven’t been able to explain it please? I’m hoping there are more people out there who have been using DHCP snooping with Windows 7 client s
I would like people to respond to this thread please, especially the people using Windows 7 and DHCP snooping and have seen this issue. Even if it hasn’t occurred to you that Windows 7 might have been the issue, any DHCP Snooping false positives would be handy to know about.
Googling around, there have been some instances reported with people running a competitors switch setup (not sure if I can mention their name here! ) and they’re seeing the same issue with DHCP Snooping enabled and Windows 7 being used. So I’m pretty certain it’s in no way an issue with Extreme’s implementation. Take this thread as an example:
http://www.pronetworks.org/forums/win...
Shows someone also noticing/experiencing the issue, so I’m hoping there are more people here.
Many thanks for takign the time to read all of it if you got this far! 🙂
(from Shaun_Kent)
Hello All!
I’ve been using DHCP Snooping on my corporate network and its working as I would expect, apart from a few oddities. Which I would like to point out to you guys and hopefully find people seeing similar.
The main focus is an issue we've been experiencing with Windows 7 clients sending DHCP Offer packets instead of acknowledgement/request packets. This causes DHCP snooping to kick into life and to either disable the port or drop the packet, which is what we have it set too after the issues we are seeing. This then causes a log message informing us that an untrusted source has sent a DHCP offer of 0.0.0.0, which we then get alerted on via our syslog server.
When this happens it can also take the client PC longer to obtain an IP address. The symptoms/circumstances that can cause this to happen have been tested extensively and we’ve confirmed they are consistent. However, that’s not to say it will always trigger the offer packet from the client. It is seemingly random. Generally speaking, when a laptop is moved from a private network, or another subnet within our corporate network, there’s a chance it will send a DHCP offer packet. Please see example below. Entry one, two, four and five are from the DHCP Servers. The third entry is from the client machine, sending an offer packet itself instead of a request/acknowledgement.
58476 12:56:58 16/11/2012 XXX.XXX.XXX.XXX
58477 12:56:58 16/11/2012 XXX.XXX.XXX.XXX
58494 12:56:58 16/11/2012 0.0.0.0 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58498 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58507 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
Previously we had set the port to block on detection of rogue DHCP Services, however, with the more wide spread rollout of Windows 7 we changed this to just drop the packet. However the frequency and volume of syslog alerts has increased as you would expect.
Basically, I’ve submitted my findings to Microsoft and they have confirmed it’s a bug in Windows 7 that was introduced with a hotfix pre-SP1. In order for them to be willing to fix it and to release a hotfix to fix the hotfix, they need to gauge the impact on businesses running Windows 7 with DHCP Snooping enabled on their network.
Please can people respond to this thread if they’ve seen some similar behaviour, even if they haven’t been able to explain it please? I’m hoping there are more people out there who have been using DHCP snooping with Windows 7 client s
I would like people to respond to this thread please, especially the people using Windows 7 and DHCP snooping and have seen this issue. Even if it hasn’t occurred to you that Windows 7 might have been the issue, any DHCP Snooping false positives would be handy to know about.
Googling around, there have been some instances reported with people running a competitors switch setup (not sure if I can mention their name here! ) and they’re seeing the same issue with DHCP Snooping enabled and Windows 7 being used. So I’m pretty certain it’s in no way an issue with Extreme’s implementation. Take this thread as an example:
http://www.pronetworks.org/forums/win...
Shows someone also noticing/experiencing the issue, so I’m hoping there are more people here.
Many thanks for takign the time to read all of it if you got this far! 🙂
(from Shaun_Kent)
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Jan 7 2013 11:16AM
HI, in fact all clients were Windows 7
Regards
PJ (from PRASAD_JACOB)
HI, in fact all clients were Windows 7
Regards
PJ (from PRASAD_JACOB)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Jan 7 2013 9:14AM
@Prusso, Thanks! I hope it helps! Can you confirm how wide spread you've seen this, if at all yet, with your customers?
@Pj, Cheers! Glad to see we were not the only ones! Can you confirm if this was due to Windows 7 Clients?
(from Shaun_Kent)
@Prusso, Thanks! I hope it helps! Can you confirm how wide spread you've seen this, if at all yet, with your customers?
@Pj, Cheers! Glad to see we were not the only ones! Can you confirm if this was due to Windows 7 Clients?
(from Shaun_Kent)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Dec 21 2012 10:26AM
Hi Nerfie,
Thanks for the Post, infact we have DHCP snooping enabled on our network and I too had this for a long time infact.
ipSecur: A Rogue DHCP server with IP 0.0.0.0 was detected on port 9
ipSecur: A Rogue DHCP server on VLAN with IP 0.0.0.0 was detected on port 9
Regards
PJ (from PRASAD_JACOB)
Hi Nerfie,
Thanks for the Post, infact we have DHCP snooping enabled on our network and I too had this for a long time infact.
ipSecur: A Rogue DHCP server with IP 0.0.0.0 was detected on port 9
ipSecur: A Rogue DHCP server on VLAN
Regards
PJ (from PRASAD_JACOB)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Dec 20 2012 1:25PM
Great post Nerfie thanks for sharing it. I have also sent it on to my customers to inform them of potential issues that they may be seeing.
P (from Paul_Russo)
Great post Nerfie thanks for sharing it. I have also sent it on to my customers to inform them of potential issues that they may be seeing.
P (from Paul_Russo)
