[c-nsp] DHCP Snooping and tracking down rogue dhcp servers

Justin Krejci JKrejci at usinternet.com
Thu Jun 9 18:13:25 EDT 2016

I might guess it is the 3750's own DHCP server packet that is being looped back to itself, perhaps by one of the downstream customer connections, and thus identifies a "rogue" dhcp server that is actually itself.

If it is actually a rogue DHCP server, is that a problem? Seems like that log message is just informational as it is indicating dhcp snooping did what it is designed to do.

From: Shawn L [shawn at rmrf.us]
Sent: Thursday, June 09, 2016 2:53 PM
To: Cisco Network Service Providers
Subject: [c-nsp] DHCP Snooping and tracking down rogue dhcp servers

I have a weird one that's been bugging me for a while.  Hoping someone
might have some insight.

We have a cisco 3750 switch that's providing aggregation for several dslams
at a small remote site.  The dslams don't have any real ip awareness or
routing abilities, etc. so we're utilizing the switch as both a switch, and
a router to do dhcp-relay back to a central office server.  We also have
DHCP snooping turned on, so that none of the customers can attempt to start
handing out addresses.

Sporadically for the past several months we've been receiving log errors
that show that there is a rogue dhcp server on the network somewhere, but I
can't seem to find it.  The log messages show the MAC address of the switch
itself, not of the rogue dhcp server.

I've even resorted to doing a wireshark packet capture, spanning one port
at a time and looking for DHCP traffic to track it down, but it didn't
yield any results.  From the log messages, it was definitely seeing the
rogue dhcp server at the time we were performing the monitoring.

Does anyone have any ideas on how to track this down better?

Here's an example of the log message

on untrusted port, message type: DHCPOFFER, MAC sa:

Here's the relevant portions of the config

ip routing
ip dhcp relay information trust-all
ip dhcp snooping vlan 100
ip dhcp snooping
vlan 100
 name Subscribers
interface FastEthernet1/0/1
 description Dslam 1
 switchport access vlan 100
interface FastEthernet1/0/2
 description Dslam 2
 switchport access vlan 100
interface GigabitEthernet1/0/1
 description Feed from Site X
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,3
 switchport mode trunk
 ip dhcp snooping trust

interface Vlan100
 description Subscribers
 ip address aa.aa.aa.aa bbb.bbb.bbb.bbb
 ip access-group block-bad-traffic out
 ip helper-address xxx.yyy.zzz.aaa
ip route aa.bb.cc.dd
cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list