Blocking rogue DHCP servers with Cisco
Posted on 2004-10-30
I have a large wireless network with probably 600 wifi clients. I run all cisco 3550/3560 edge switches and just recently got my new 4506 as my core. My access points are a combo of Cisco 1231s, Cisco 1120s, and some old lucent ones I have not replaced yet. My clients are XP Pro with ether SP1 or SP2. MY problem is that I think someone has turned on internet connection sharing (ICS) on one of their machines. Randomly throughout the day various people are getting bad address. My default gateway is x.x.x.1 and my DNS suffix is mycompany.com. When someone gets an IP address from this other "server" they get some random default gatewat address which is in the same subnet as my network is, which I can ping sometimes, remember a wifi environment so machines are on and off randomly throughout the day. Their dns suffix is mshome.net, which I believe is the default workgroup that XP pro changes too when you do ICS. The clients with bad address can access our internal email and network file systems but cannot hit pass through the internet. If I do a nbtstat /A ipofbaddefaultgateway I get a netbios name and mac address of the person, which I call in and find out they are NOT doing ICS. One other thing I noticed is that if a client has connected to this bad "server" then in the network connections window iin XP it tells me I am connected to some internet gateway.
Is there anyway to find out exactly who this person is or just block all dhcp servers exact for my dhcp server with my cisco switches?
Within the next few months I would be implenting a few vlans into my network since I now have all L3 switches now that my 4506 came in. And I pretty sure I can block it that way, because all of my clients will be in a seperate vlan than my servers, but at the moment everyone is L2 and in the same subnet.
Doing static IP of all my clients is not an option.
I would really appreciate any help or advice.