perktech
asked on
Block rogue DHCP or Wireless Routers on Wired Network
I have an issue with people plugging in rogue wireless access points on my network. My wireless will contain rogue wireless, but that does not help my wired network if they happen to have DHCP turned on.
Can someone suggest a way I can detect and disable any rogue DHCP servers on my wired network? Hunting them down one by one is becoming very, very frustrating.
Can someone suggest a way I can detect and disable any rogue DHCP servers on my wired network? Hunting them down one by one is becoming very, very frustrating.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We have approximately 500 client devices across 40 switches. All devices must be considered "trusted" on our network (admin policy).
They are HP ProCurve switches. I don't know if they support DCHP snooping.
Any other ideas?
They are HP ProCurve switches. I don't know if they support DCHP snooping.
Any other ideas?
Are all 500 client wireless? MAC addressing is only for wireless, not wired.
.... Thinkpads_User
.... Thinkpads_User
ASKER
No, they are not and MAC addressing is for everyone... not just wireless. All network connected devices have a MAC address.
Hi again,
Yes HP Procurve switches support DHCP snooping.
All devices are still 'trusted' just not thir DHCP messages.
As a mean of last resort, create a written policy and have all users (digitally) sign it where users are pointed to good-behaviour whilst using the network and the consequences if they do not obey.
Else? get a shotgun !
Yes HP Procurve switches support DHCP snooping.
All devices are still 'trusted' just not thir DHCP messages.
As a mean of last resort, create a written policy and have all users (digitally) sign it where users are pointed to good-behaviour whilst using the network and the consequences if they do not obey.
Else? get a shotgun !
ASKER
So I am reading about DHCP Snooping, apparently HP ProCurve switches do support it... but I am unclear about the "trusted ports" part.
It says:
The DHCP Snooping feature on ProCurve ProVision switches allows you to configure switches to accept DHCP responses only from authorized servers that are connected to trusted ports.
So... does this mean that the DHCP server has to be on a "trusted port" or the client has to be on a trusted port? I don't want to configure DHCP snooping and block my DHCP server, and conversely I don't want to configure DHCP snooping and then trust all my client ports and do an end-around the security of DHCP snooping...
Can anyone clarify? This is what I *thinK* I should do:
dhcp-snooping authorized-server 10.1.1.10
dhcp-snooping trust 50 (my uplink port to trust my DHCP server)
dhcp-snooping vlan 1-3
dhcp-snooping
THoughts?
It says:
The DHCP Snooping feature on ProCurve ProVision switches allows you to configure switches to accept DHCP responses only from authorized servers that are connected to trusted ports.
So... does this mean that the DHCP server has to be on a "trusted port" or the client has to be on a trusted port? I don't want to configure DHCP snooping and block my DHCP server, and conversely I don't want to configure DHCP snooping and then trust all my client ports and do an end-around the security of DHCP snooping...
Can anyone clarify? This is what I *thinK* I should do:
dhcp-snooping authorized-server 10.1.1.10
dhcp-snooping trust 50 (my uplink port to trust my DHCP server)
dhcp-snooping vlan 1-3
dhcp-snooping
THoughts?
ASKER
Patrick - "As a mean of last resort, create a written policy and have all users (digitally) sign it where users are pointed to good-behaviour whilst using the network and the consequences if they do not obey.
Else? get a shotgun !"
That's hilarious... we already have a written policy... :)
Else? get a shotgun !"
That's hilarious... we already have a written policy... :)
What I meant was that MAC filtering is meant for wireless. My apologies as I was careless posting. Yes, of course every device has a MAC address.
Your wired devices do not need MAC filtering. You can set up a table in your router of admissible wireless MAC addresses that are allowed to connect. The others cannot (short of MAC spoofing).
... Thinkpads_User
Your wired devices do not need MAC filtering. You can set up a table in your router of admissible wireless MAC addresses that are allowed to connect. The others cannot (short of MAC spoofing).
... Thinkpads_User
ASKER
I know I can do an allowed MAC table, but that is not a tenable situation on a network of my variety and size. I need to be able to either detect and shut down rogue DHCP servers or block the packets in some way.
I am going to take a swing at configuring DHCP snooping as detailed above this evening.
Thanks anyway.
I am going to take a swing at configuring DHCP snooping as detailed above this evening.
Thanks anyway.
ASKER
I'm still a little fuzzy on the "trusted" thing... If I'm telling the switch what the DHCP server IP address is... what does the "trusted" port do for me?
Does it block DHCP packets on non-trusted ports?
Does it block DHCP packets on non-trusted ports?
Note that if someone plugs in a wireless router without security, they are potentially allowing outsiders access to your internal networks. In most cases, that should be a fire-able offense. In some cases, it would simply be illegal to grant outsiders access to classified information.
... Thinkpads_User