Block rogue DHCP or Wireless Routers on Wired Network

I have an issue with people plugging in rogue wireless access points on my network.  My wireless will contain rogue wireless, but that does not help my wired network if they happen to have DHCP turned on.  

Can someone suggest a way I can detect and disable any rogue DHCP servers on my wired network?  Hunting them down one by one is becoming very, very frustrating.
perktechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Patrick BogersDatacenter platform engineer LindowsCommented:
Hi Perktech,

If you have managed Cisco hardware look into DHCP snooping on your switches. This will only allow DHCP request from trusted ports.

HTH
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
If you have a limited number of trusted devices, implement MAC filtering and tell users they have abused their privileges and has lost them.

... Thinkpads_User
0
perktechAuthor Commented:
We have approximately 500 client devices across 40 switches.  All devices must be considered "trusted" on our network (admin policy).

They are HP ProCurve switches.  I don't know if they support DCHP snooping.

Any other ideas?
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

JohnBusiness Consultant (Owner)Commented:
Are all 500 client wireless?  MAC addressing is only for wireless, not wired.

.... Thinkpads_User
0
perktechAuthor Commented:
No, they are not and MAC addressing is for everyone... not just wireless.  All network connected devices have a MAC address.
0
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi again,

Yes HP Procurve switches support DHCP snooping.
All devices are still 'trusted' just not thir DHCP messages.

As a mean of last resort, create a written policy and have all users (digitally) sign it where users are pointed to good-behaviour whilst using the network and the consequences if they do not obey.
Else? get a shotgun !
0
perktechAuthor Commented:
So I am reading about DHCP Snooping, apparently HP ProCurve switches do support it... but I am unclear about the "trusted ports" part.  

It says:
The DHCP Snooping feature on ProCurve ProVision switches allows you to configure switches to accept DHCP responses only from authorized servers that are connected to trusted ports.

So... does this mean that the DHCP server has to be on a "trusted port" or the client has to be on a trusted port?  I don't want to configure DHCP snooping and block my DHCP server, and conversely I don't want to configure DHCP snooping and then trust all my client ports and do an end-around the security of DHCP snooping...

Can anyone clarify?  This is what I *thinK* I should do:

dhcp-snooping authorized-server 10.1.1.10
dhcp-snooping trust 50 (my uplink port to trust my DHCP server)
dhcp-snooping vlan 1-3
dhcp-snooping

THoughts?
0
perktechAuthor Commented:
Patrick  - "As a mean of last resort, create a written policy and have all users (digitally) sign it where users are pointed to good-behaviour whilst using the network and the consequences if they do not obey.
Else? get a shotgun !"

That's hilarious... we already have a written policy... :)
0
JohnBusiness Consultant (Owner)Commented:
What I meant was that MAC filtering is meant for wireless. My apologies as I was careless posting.  Yes, of course every device has a MAC address.

Your wired devices do not need MAC filtering. You can set up a table in your router of admissible wireless MAC addresses that are allowed to connect. The others cannot (short of MAC spoofing).

... Thinkpads_User
0
perktechAuthor Commented:
I know I can do an allowed MAC table, but that is not a tenable situation on a network of my variety and size.  I need to be able to either detect and shut down rogue DHCP servers or block the packets in some way.

I am going to take a swing at configuring DHCP snooping as detailed above this evening.

Thanks anyway.
0
perktechAuthor Commented:
I'm still a little fuzzy on the "trusted" thing... If I'm telling the switch what the DHCP server IP address is... what does the "trusted" port do for me?

Does it block DHCP packets on non-trusted ports?
0
Dave BaldwinFixer of ProblemsCommented:
Note that if someone plugs in a wireless router without security, they are potentially allowing outsiders access to your internal networks.  In most cases, that should be a fire-able offense.  In some cases, it would simply be illegal to grant outsiders access to classified information.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DHCP

From novice to tech pro — start learning today.