How to find the DHCP server on a network
Tim Peiffer
peiffer at umn.edu
Tue May 19 20:05:55 UTC 2009
John Tabasz (jtabasz) wrote:
> One of the networks I am responsible for has a DHCP server that is
> giving out an address already assigned to another host. I want to
> locate this DHCP server and investigate it as a rogue server.
> Can someone suggest a clean way to identify the DHCP servers on a
> network?
>
> Thanks,
>
> John
> ------------------------------------------------------------------------
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-user
On our campus, the reasons for rogues revolved initially on
proliferation of SOHO class NAT's in offices, and hosts bridging one
interface (wireless) to another.
The only way to identify the DHCP servers on the network is to listen
for the responses and note the source IP address and the source MAC
address;.. likely this will be with a judicious use of a sniffer, snoop,
tshark, ethereal, etc.. Once the rogue is located, new configurations
can be rapidly applied with a clue-by-four tool.
We take a different approach... address tracking of physical location
(jack), switch/port, MAC address, IP address as a session tuple to
locate offenders in case the need arises, and we implement edge filters
to disable dhcp server responses from all but a known set of ports.
This doesn't involve exotic dhcp snooping.
With vendor 'C', the edge filter is pretty straight forward. I am sure
that edge filtering is straightforward on most switching platforms.
ip access-list extended Access_IN
remark * Standard Rogue DHCP Servers from customers filter *
deny udp any eq bootps any log
[....]
remark * let any "real" address out.
permit ip any any
interface GigabitEthernetx/x/x
ip access-group Access_IN in
Tim
--
Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP
More information about the dhcp-users
mailing list