[c-nsp] DHCP Snooping and tracking down rogue dhcp servers

Shawn L shawn at rmrf.us
Thu Jun 9 15:53:04 EDT 2016 

I have a weird one that's been bugging me for a while.  Hoping someone
might have some insight.

We have a cisco 3750 switch that's providing aggregation for several dslams
at a small remote site.  The dslams don't have any real ip awareness or
routing abilities, etc. so we're utilizing the switch as both a switch, and
a router to do dhcp-relay back to a central office server.  We also have
DHCP snooping turned on, so that none of the customers can attempt to start
handing out addresses.

Sporadically for the past several months we've been receiving log errors
that show that there is a rogue dhcp server on the network somewhere, but I
can't seem to find it.  The log messages show the MAC address of the switch
itself, not of the rogue dhcp server.

I've even resorted to doing a wireshark packet capture, spanning one port
at a time and looking for DHCP traffic to track it down, but it didn't
yield any results.  From the log messages, it was definitely seeing the
rogue dhcp server at the time we were performing the monitoring.

Does anyone have any ideas on how to track this down better?

Here's an example of the log message

%DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message
on untrusted port, message type: DHCPOFFER, MAC sa:
MAC_ADDRESS_OF_Vlan100_Interface

Here's the relevant portions of the config

ip routing
ip dhcp relay information trust-all
!
ip dhcp snooping vlan 100
ip dhcp snooping
!
vlan 100
 name Subscribers
!
interface FastEthernet1/0/1
 description Dslam 1
 switchport access vlan 100
!
interface FastEthernet1/0/2
 description Dslam 2
 switchport access vlan 100
!
interface GigabitEthernet1/0/1
 description Feed from Site X
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,3
 switchport mode trunk
 ip dhcp snooping trust

interface Vlan100
 description Subscribers
 ip address aa.aa.aa.aa bbb.bbb.bbb.bbb
 ip access-group block-bad-traffic out
 ip helper-address xxx.yyy.zzz.aaa
!
ip route 0.0.0.0 0.0.0.0 aa.bb.cc.dd

More information about the cisco-nsp mailing list