RE: DHCP server security

From: Charles Church (cchurch@wamnet.com)
Date: Sat Apr 26 2003 - 10:11:09 GMT-3

• Next message: Niksa Tomulic: "RE: Dialer load-threshold question"
• Previous message: Ram Shummoogum: "RE: Dialer load-threshold question"
• Maybe in reply to: aansar@sscomp.com.sg: "DHCP server security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Assuming you had the use of port ACLs, blocking DHCP is like blocking
anything else. DHCP uses two registered UDP ports (67 and 68 if I remember
right, look up BOOTPC and BOOTPS), so blocking the server port (68) at all
switch ports (except the authorized DHCP server) should work. But it's not
an option on 5500s. So to sum it up, I don't think you've got an easy
solution using what you've got to block it. Detecting an unauthorized
server is pretty easy though. Every DHCP client will maintain the IP
address of the DHCP server that issued it an address. So a help desk call
with the right questions asked should provide you with the IP address of the
rogue server pretty quickly. Disable the port that belongs to that server
IP address, and you're back in business.

Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 585-233-2706
cchurch@wamnet.com

-----Original Message-----
From: aansar@sscomp.com.sg [mailto:aansar@sscomp.com.sg]
Sent: Saturday, April 26, 2003 1:00 AM
To: Charles Church
Subject: RE: DHCP server security

Hi charles
as dhcp is broadcast based on , how i can stop with ACL, i read the
article , looks like i have to adopt win2k environment with active
directory to have dhcp authentication.
thanks

                    "Charles
                    Church" To: <aansar@sscomp.com.sg>,
                    <cchurch@wamn <ccielab@groupstudy.com>,
<nobody@groupstudy.com>
                    et.com> cc:
                                         Subject: RE: DHCP server
security
                    26/04/2003
                    11:48 AM

Check out:
http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac172/about_cisco_packet_

department09186a00800a33f4.html

I know on the newer switches (2950s, 3550s, 6500) you can use VLAN and port
ACLs to prevent this.

Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 585-233-2706
cchurch@wamnet.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
aansar@sscomp.com.sg
Sent: Friday, April 25, 2003 9:39 PM
To: ccielab@groupstudy.com; nobody@groupstudy.com
Subject: DHCP server security

Dear All
How can i restrict the clients to obtain address from only one dhcp server
(designated server) . i am using cat5509.
If someone accidentally bring up the duplicate DHCP server in the network
the clients shouldn't get the address from it , most of the time it happens
creating the big problem..
pls help ..

• Next message: Niksa Tomulic: "RE: Dialer load-threshold question"
• Previous message: Ram Shummoogum: "RE: Dialer load-threshold question"
• Maybe in reply to: aansar@sscomp.com.sg: "DHCP server security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:36:07 GMT-3