How to detect rogue DHCP servers on the internal network?

Reply to How to detect rogue DHCP servers on the internal network? on Mon, 14 Oct 2013 02:07:46 GMT

johnpoz — Mon, 14 Oct 2013 02:07:46 GMT

Well your not going to be able to run dhcp snooping unless your switches support it. And all the switches would need to be able to do it, not just a couple of them. Or you still would have problems with people connected to the same switch that is down stream from your managed switch..

I can not believe a school network would run on such crap?

I would think a school would run decent hardware? How does tuition not cover a decent network - shit doesn't the school have a computer science program? This would all be hand on stuff that should be talk in the classes..

Reply to How to detect rogue DHCP servers on the internal network? on Sun, 13 Oct 2013 15:59:00 GMT

egil — Sun, 13 Oct 2013 15:59:00 GMT

Hi John,

Unfortunately, the network topology is the worst kind of homemade, with only a few managed switches here and there, and bad cabling to top it of.
The switches that can best be described as being the backbone are two ZyXEL GS2200-24P and a Dell PowerConnect 2724.

I don't know much about DHCP snooping, how to set it up etc., so any advice is welcome indeed. Is it possible on a switch level to block DHCP ACK's that are not coming from a specific MAC address?

Reply to How to detect rogue DHCP servers on the internal network? on Sun, 13 Oct 2013 13:38:01 GMT

johnpoz — Sun, 13 Oct 2013 13:38:01 GMT

If you have windows here is a older tool that still works

http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx

But it would be better to prevent than detect wouldn't it - what switches are you using?
http://en.wikipedia.org/wiki/DHCP_snooping
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/snoodhcp.html

in linux use dhcp probe