Preventing Multiple DHCP servers/Vlans

platypus

platypus

platypus

Caporegime
Joined
25 Jul 2003
Posts
40,451
Location
FR+UK
Is there a way to prevent a router being plugged into a network taking over the dhcp/routing without using vlans or something heavier like 802.1x/domain isolation? We've got some procurve switches which support dhcp-snooping which looks like a nice solution, but it relies on vlans.
 
Sounds...perfect. We have a regular problem that people plug in routers, for testing purposes, to the "house" network, despite it being company policy not to do so (we have lots of little test rooms with isolated networks) :rolleyes:. Everyone loses internet connection for a while until its detected and unplugged. I'm presuming its because the rogue router takes over dhcp/dns/routing temporarily?

Can you also do the same to authorise DNS?
 
Last edited:
The gateway is different. Will have a hunt around too, thanks :).

Just to check as well, the article is for Win2000, I'm assuming its applicable to 2003/2008 as well?
 
Last edited:
#Chri5# said:
Is it possible to do it via Windows AD?

I've just looked at the second link and that is what I've done when adding a new DHCP server (if you don't authorise the server, then it won't handle DHCP requests IIRC).

If you plug in a bog-standard router which is enabled as a DHCP server, how can a Windows DC stop it (the router) from responding to DHCP discovery broadcasts? A client can get multiple DHCP offers but then only accepts one which could be from the router.
Click to expand...
The unauthorised dhcp server sends a DHCPInform request which gets rejected because its not on the authorised list. At least thats the case with 2000, probably the same albeit improved with 2003/2008.
 
Deception said:
The guide for DHCP rogues that I posted were aimed at server 2008, not 2003 (Check date of your article, it was released before server 2008). Like I said, I dont know how it works - I basically found the articles when doing a search.

Can I ask, how are the routers 'tested'. As you may just be able to assign one switch to a VLAN that is used for testing and have them plug test equipment in there.
Click to expand...
The usual test is to plug 'em in, load a config file, test some remote commands, send strings to them that make them perform commands, try and break them etc, so they ideally need to be on the same network as people's computers.

#Chri5# said:
My question is does the DHCP server in a cheap as chips home router (eg a £15 TP-Link router) send out DHCPInform and shut down if an authorised 2008 R2 server responses?
Click to expand...

Ah, sorry I'm not entirely sure about that.
 
Deception said:
Pity you dont have a dedicated switch for this, get everyone to plug their PC and the routers in for testing, so they separated from rest of LAN, but can still do the remote commands etc.
Click to expand...
Indeed.

LizardKing said:
Not likely :)
I think your biggest issue is not the DHCP but the rogue routers using the same IP address as your gateway.
Click to expand...
It's not, as I said above the gateway used for net traffic is different to the default ip of the routers. It's a different subnet even.
Or get some good switches that allow you to set-up lists of authorised devices. :)
Click to expand...
If only that were an option!
 
You must log in or register to reply here.
Back
Top Bottom