[c-nsp] DHCP Snooping and tracking down rogue dhcp servers

Shawn L shawn at rmrf.us
Thu Jun 9 15:53:04 EDT 2016

I have a weird one that's been bugging me for a while.  Hoping someone
might have some insight.

We have a cisco 3750 switch that's providing aggregation for several dslams
at a small remote site.  The dslams don't have any real ip awareness or
routing abilities, etc. so we're utilizing the switch as both a switch, and
a router to do dhcp-relay back to a central office server.  We also have
DHCP snooping turned on, so that none of the customers can attempt to start
handing out addresses.

Sporadically for the past several months we've been receiving log errors
that show that there is a rogue dhcp server on the network somewhere, but I
can't seem to find it.  The log messages show the MAC address of the switch
itself, not of the rogue dhcp server.

I've even resorted to doing a wireshark packet capture, spanning one port
at a time and looking for DHCP traffic to track it down, but it didn't
yield any results.  From the log messages, it was definitely seeing the
rogue dhcp server at the time we were performing the monitoring.

Does anyone have any ideas on how to track this down better?

Here's an example of the log message

on untrusted port, message type: DHCPOFFER, MAC sa:

Here's the relevant portions of the config

ip routing
ip dhcp relay information trust-all
ip dhcp snooping vlan 100
ip dhcp snooping
vlan 100
 name Subscribers
interface FastEthernet1/0/1
 description Dslam 1
 switchport access vlan 100
interface FastEthernet1/0/2
 description Dslam 2
 switchport access vlan 100
interface GigabitEthernet1/0/1
 description Feed from Site X
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,3
 switchport mode trunk
 ip dhcp snooping trust

interface Vlan100
 description Subscribers
 ip address aa.aa.aa.aa bbb.bbb.bbb.bbb
 ip access-group block-bad-traffic out
 ip helper-address xxx.yyy.zzz.aaa
ip route aa.bb.cc.dd

More information about the cisco-nsp mailing list