Archive for September, 2008

Preventing Rogue DHCP Servers with HP Procurve Switches

Ok, it doesn’t happen often, but in larger networks once in a while some genius decides to bring in some cheap ass network crap from home and plug it in to your big expensive network.  Guess what?  This genius manages to take your whole network down.  Oh, it’s not an imediate crash, its more like a slow eating away of your network.  And that really is the main clue that you probably have a rogue DHCP server problem on your hands.  Groups of computers can’t connect for no apparent reason.  They all have link lights after all.  Why the heck can’t they connect to your servers or even go surfing???  Now if you take your phone off the hook long enough to investigate a little deeper, you find that all the computers that can’t connect are getting bad IP address.  Bingo - rogue DHCP server confirmed!  Finding that little bastard is a real PIA - hint, you can sometimes find it’s Mac address in one of the affected computer’s ARP table. (obtainable by doing an ARP -a command)  That can tell you what the brand of crap is and if you query your switches and are persistent, you might be able to find the switch and port the thing is plugged in to.  Anyway, that’s not really what this post is about.  It’s about protecting your big expenisve network from geniuses.  It’s also about doing it with your HP Procurve switches. (If you’ve got other brands of switches or (god forbid) hubs - GO AWAY!)

So anyway what you are looking for is something called DHCP-SNOOPING.  It’s not documented very well by HP.  In fact you will only find hints about it in the firmware update release notes starting down around version H.08.105. Or in the manuals for the new generation of switches but It does in fact work on 2600, 2800 and 5300 class switches. Anyway here’s what you need to know. 

First update all the firmware on all of your switches to a least H.10.35  It seems there are some bugs that keep it from working too well in earlier versions.

Next, hopefully you have Procurve + otherwise you will have to go to each switch manually - yuck. In any case you need the following set of commands:

dhcp-snooping authorized-server [ip-addr]
dhcp-snooping vlan [vlan]
no dhcp-snooping option 82
dhcp-snooping trust [interface]

The interface ports you need to trust are the port(s) the real DHCP server is plugged into AND all the ports that the switches link to one another on.  If you were consistent in what ports you use for uplinks then it’s pretty easy using the CLI configuration tool in PCM+  Oh, and don’t leave out turning off the option 82 stuff.  It seems that Microsft is not standards compliant with the Option 82 info so if you don’t disable checking it in the switches, they will discard all your DHCP traffic!  Nice huh?

 So, once you do this to all of your switches, the geniuses will have a little harder time wrecking your network and your day.