7

How can I prevent a duplicate DHCP server on a network from interfering? Is it possible?

I am not asking for any actual scenario that is happening, just curiosity. In my apartment complex there is a network and internet provided, someone caused problems with the entire network because they plugged in their wireless router which had a DHCP server enabled.

How would you prevent such conflicts / problems on a network, or it is impossible short of firewalling and controling the machines on your network?

Sonny Ordell
  • 145
  • 3
  • 7

4 Answers4

6

Any kind of network security is impossible, short of strictly controlling access to the network. If you are allowing people to plug in a random piece of hardware, that hardware happens to be running a DHCP server, and that server thinks it should be handing out addresses, you will have conflicts.

The best solution I can think of with no other changes in your environment is to determine which network port the rogue DHCP server is running on and shut it down. You can do that manually for rare/occasional issues, but there are also Intrusion Prevention Systems that can do this by recognizing that a DHCP reply was sent from an unauthorized MAC address, determine which switch port is associated with that MAC & disabling the port (Cisco has software that can do this, and you can also probably configure Sort to do it with some work).

A better solution is probably to segment your network so each apartment/user gets a vLAN. This avoids one rogue device affecting your entire complex.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • To your innuendo of "administrative burden," setting up individualized VLANs is more labor intensive, but is also the right thing to do if one is providing ISP-type services (hopefully with ISP-level/capable equipment as well). – user48838 Jun 02 '11 at 17:01
  • Setting up individual VLANs does add to the administrative burden -- in this guy's case it's probably a wash with DHCP snooping (and it might even make sense to set up both). A situation like this I'd stick with one VLAN per apartment, and maybe one for common areas/public wifi if they have it - should be a one-time investment – voretaq7 Jun 02 '11 at 17:03
  • Yeah right. Apartment buildings are going to invest in switches that do VLANs and then manage them as people move in and out. – KCotreau Jun 02 '11 at 21:08
  • 2
    @KCotreau - One VLAN per apartment, assigned to one network port per apartment. No further management is necessary, unless you want to get fancy and put the resident's name in the VLAN description field (if your switch supports such a thing) or admin-down ports for unoccupied units/units that aren't paying for net access. I fail to see a problem here... – voretaq7 Jun 02 '11 at 21:52
2

By enabling "DHCP Snooping" on a managed switch which supports that feature.

user48838
  • 7,393
  • 2
  • 17
  • 14
  • If you have switches that support this feature, and are willing to take on the administrative burden of maintaining the access lists, this is a good option. – voretaq7 Jun 02 '11 at 16:38
  • 1
    The access list is that of the authorized DHCP server(s), which should not be that many for most practical configurations. – user48838 Jun 02 '11 at 16:42
  • It's mostly the "trusted ports" list that needs to be maintained - like you said that should be a small number for most configurations (1 or 2 ports) – voretaq7 Jun 02 '11 at 16:47
0

When your computer needs DHCP support it broadcasts a DHCP request message on the local network. If there are more than one DHCP server on the network segment, the first DHCP server that responds will be the DHCP server that provides the necessary information to your computer.

fpmurphy
  • 841
  • 6
  • 13
0

There is another potential option, which would be to deny only the DHCP responses inbound from all physical ports except for the port connected to the valid server - UDP destination port 68 (pretty sure, 67/68 are bootps/bootpc).

This way, you don't prevent clients from requesting addresses, but you prevent anything not connected to your allowed ports from responding. You'd want this only at the edge of the network, direct access ports etc.

Bryan Redd
  • 36
  • 1