DHCP security on WAN issue

Have a client of ours with 2 x 2960's in an apartment building..

He serves 192.168.0.0/24 via dhcp to every port.. problem is though some people are plugging their own hubs / routers in as you'd expect, and is allowed.. problem though is some have setup their own internal IP DHCP range but plugged the LAN port into the wall socket so are serving their IP range onto the wider network, which is obviously causing lots of problems for other clients.

so.. we looked at DHCP Snooping as a stop gap, and its definitely helped the problem but hasnt fixed it..

has anyone got any other ideas ?
LVL 12
SteveNetwork ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

deibelCommented:
configure VLAN
so the "ports", the VLANs, are devided on layer2

since dhcp is a layer2-protocol it should stop the issue.

do you need any communication between the appartments?

0
Rick_O_ShayCommented:
How about if you use ACLs inbound on the user VLAN to drop anything not sourced from the DHCP range you are assigning and drop DHCP server packets sourced from any DHCP server other than your own.
0
deibelCommented:
that would be a good fine-tuning.
but the 2nd step
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Nayyar HH (CCIE RS)Network ArchitectCommented:
You can look at the following as well

> MAC Security
> IP Source Guard
> Dynamic ARP Inpection
0
deibelCommented:
there are several port security modes in the catalyst.
set up the VLANs to get rid of dhcp and the rest will follow

Complete these steps in order to create a VLAN.

1.Decide whether to use VTP in your network.

With VTP, you can make configuration changes centrally on a single switch, and you can automatically communicate those changes to all the other switches in the network. The default VTP mode on the Catalyst 2900XL, 3500XL, 2950, 2970, and 2940 Switches is the server mode. Refer to Understanding VLAN Trunk Protocol (VTP) for more information on VTP.

Note: Issue the show vtp status command in order to check the VTP status on XL Series Switches.

3524XL#show vtp status

VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 254
Number of existing VLANs        : 5
VTP Operating Mode              : Server

!--- This is the default mode.

VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xBF 0x86 0x94 0x45 0xFC 0xDF 0xB5 0x70
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:002.After you set and verify the VTP domain, begin to create VLANs on the switch.

By default, there is only a single VLAN for all ports. This VLAN is called default. You cannot rename or delete VLAN 1.

Issue the show vlan command in order to check the VLAN information.

3524XL#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4,
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8,
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12,
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16,
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20,
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24,
                                                Gi0/1, Gi0/2
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        IBM  -        0      0
1005 trnet 101005     1500  -      -      1        IBM  -        0      0Issue this set of commands in privileged mode in order to create another VLAN:

3524XL#vlan database

!--- You must enter into VLAN database in order to configure any VLAN.

3524XL(vlan)#vtp server

Device mode already VTP SERVER.

!--- You can skip this command if the switch is already in server mode and you
!--- want the switch to be in server mode.

Note: A switch can only create VLANs if it is in VTP server mode or VTP transparent mode. Refer to Understanding VLAN Trunk Protocol (VTP) for more information on VTP.

524XL(vlan)#vlan ?

  <1-1005>  ISL VLAN index

3524XL(vlan)#vlan 2 ?

  are        Maximum number of All Route Explorer hops for this VLAN
  backupcrf  Backup CRF mode of the VLAN
  bridge     Bridging characteristics of the VLAN
  media      Media type of the VLAN
  mtu        VLAN Maximum Transmission Unit
  name       Ascii name of the VLAN
  parent     ID number of the Parent VLAN of FDDI or Token Ring type VLANs
  ring       Ring number of FDDI or Token Ring type VLANs
  said       IEEE 802.10 SAID
  state      Operational state of the VLAN
  ste        Maximum number of Spanning Tree Explorer hops for this VLAN
  stp        Spanning tree characteristics of the VLAN
  tb-vlan1   ID number of the first translational VLAN for this VLAN (or zero
             if none)
  tb-vlan2   ID number of the second translational VLAN for this VLAN (or zero
             if none)

3524XL(vlan)#vlan 2 name ?

  WORD  The ASCII name for the VLAN

3524XL(vlan)#vlan 2 name cisco_vlan_2

VLAN 2 added:
    Name: cisco_vlan_2

3524XL(vlan)#exit

!--- You must exit from the VLAN database in order for the changes
!--- to be committed.

APPLY completed.
Exiting....
3524XL#Note: The VTP mode can change from client mode to transparent mode if the switch attempts to learn or pass a greater number of VLANs than it supports. Always check that the switches that run in client mode support the same number of VLANs that the switches in server mode send.

3.Issue the show vlan command in order to ensure that the VLAN is created.

3524XL#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4,
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8,
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12,
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16,
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20,
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24,
                                                Gi0/1, Gi0/2
2    cisco_vlan_2                     active    
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
2    enet  100002     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        IBM  -        0      0
1005 trnet 101005     1500  -      -      14.You can add ports (interfaces) in the newly created VLAN.

You must go to interface configuration mode for each of the interfaces that you want to add into the new VLAN.

Note: You can assign the ports of a Layer 2 Catalyst Switch to multiple VLANs, but the switch only supports one active management VLAN interface at a time and other switched virtual interfaces (SVIs) do not up/up because of Layer 2 functionality. Therefore, the switch supports only one active management Layer 3 address. On a Layer 2 Catalyst Switch, you can issue the optional management command under the new SVI in order to automatically shut down VLAN 1 and transfer the IP address to the new VLAN.

Switch#configure terminal
Switch(config)#interface vlan 2
Switch(config-subif)#management
Switch(config-subif)#^Z
Switch#show ip interface brief
Interface                  IP-Address      OK? Method Status   Protocol
VLAN1                      10.0.0.2        YES manual up       down    
VLAN2                      20.0.0.2        YES manual up       up      
FastEthernet0/1            unassigned      YES unset  up       up      
FastEthernet0/2            unassigned      YES unset  up       up

!--- Output suppressed.

Issue this set of commands in privileged mode in order to add a particular interface in the VLAN:

3524XL#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

3524XL(config)#interface fastethernet 0/2

3524XL(config-if)#switchport access ?

  vlan  Set VLAN when interface is in access mode

3524XL(config-if)#switchport access vlan ?

  <1-1001>  VLAN ID of the VLAN when this port is in access mode
  dynamic   When in access mode, this interfaces VLAN is controlled by VMPS

3524XL(config-if)#switchport access vlan 2

!--- These commands assign interface Fast Ethernet 0/2 to VLAN 2.

3524XL(config-if)#exit

3524XL(config)#interface fastethernet 0/3

3524XL(config-if)#switchport access vlan 2

!--- These commands assign interface Fast Ethernet 0/3 to VLAN 2.

3524XL(config-if)#end

3524XL#
00:55:26: %SYS-5-CONFIG_I: Configured from console by console

3524XL#write memory

!--- This saves the configuration.

Building configuration...

5.Issue the show vlan command in order to verify the VLAN configuration.

3524XL#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/4, Fa0/5, Fa0/6,
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/10,
                                                Fa0/11, Fa0/12, Fa0/13, Fa0/14,
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18,
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22,
                                                Fa0/23, Fa0/24, Gi0/1, Gi0/2
2    cisco_vlan_2                     active    Fa0/2, Fa0/3
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
2    enet  100002     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        IBM  -        0      0
1005 trnet 101005     1500  -      -      1        IBM  -        0      
0
OzNetNerdCommented:
0
OzNetNerdCommented:
Another method would be to put every switch port in to a different subnet/VLAN, but that would mean you need one DHCP scope per network port. This wouldn't be that hard to set up but it depends on whether you would be willing to do it or not.
0
rxhangoCommented:
DHCP Snooping with DAI is the best solution for L2 Security.
If you want more the next step is definitively 802.1x or port-based Network Access Control (PNAC)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SteveNetwork ManagerAuthor Commented:
Thanks for all the comments guys.. ok.. to answer some questions.. :

The DHCP Device is a 'CyberRoam 100ia" so a DHCP Scope per port isnt going to happen, unfortunately neither are cisco ACL's..

http://www.cyberoam.com/downloads/datasheet/CyberoamCR100ia.pdf

I think that if i moved all the switchports into a new vlan (vlan2) and kept the snooping we've already done but enable DAI, then that should resolve the issues ?







0
SteveNetwork ManagerAuthor Commented:
no more comments ??
0
rxhangoCommented:
I just said that in my previous comment. Yes this will give you a strong L2 Security
0
SteveNetwork ManagerAuthor Commented:
Some examples would have been handy..
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.