Handling of illegal DHCP in the Intranet

The current enterprise network structure basically coexist with the Intranet and Internet. When using a DHCP server, problems such as illegal DHCP servers on the Intranet may occur. So here we will discuss in detail the relevant content. If you have carefully enabled the DHCP service because you have installed the Windows Server operating system on your intranet, or if an unauthorized DHCP Server exists in the intranet due to other factors, what is the impact on the network?

DHCP server can automatically set network parameters such as network IP address, mask, gateway, DNS, and WINS for users, simplifying network settings and improving management efficiency. However, if the server and client do not have an authentication mechanism, the invalid DHCP server on the network will allocate IP addresses to some hosts, and the gateway and DNS parameters will become chaotic, the host cannot connect to the external network. In this case, how can we solve these problems?

As a client computer, you can try to use ipconfig/release to release the obtained network parameters and then use ipconfig/renew to re-obtain the correct DHCP server configuration service. However, this method is passive, it often takes more than a dozen or even dozens of times to be able to succeed once in a while, and the problem cannot be solved fundamentally.

Another solution is to use a windows system to create an illegal DHCP server in a Windows network. We can filter out the illegal DHCP server by using a domain. Add valid DHCP servers to the Active Directory. The principle is that the DHCP Server that is not added to the domain sends a DHCPINFORM query packet to other DHCP servers in the network before the corresponding request. If other DHCP servers have a response, therefore, the DHCP Server cannot meet the customer's requirements. That is to say, the priority of the DHCP Server that is added to the domain in the network is higher than that of the DHCP Server that is not added to the domain. In this way, if the valid DHCP address exists, the invalid IP address cannot be used.

The process of authorizing a valid DHCP address is as follows:

Step 1: Start-> Program-> management tools-> DHCP

Step 2: Select DHCP root, right-click it, and select the server to be authenticated.

Step 3: click "add" and enter the IP address of the DHCP server to authenticate.

However, this method only applies to illegal DHCP servers on the Intranet. It is a windows system and requires domain and Active Directory. The configuration is complicated. In addition, it is insufficient for non-Windows operating systems.

Another better way is to use the DHCP listener of the switch to filter untrusted DHCP information by creating and maintaining the DHCP Snooping binding table, that is, to filter out packets sent from an invalid DHCP server to the network. First, define the trusted port and untrusted port on the vswitch. Define the port connected by the DHCP server as a trusted port, and all other ports connected to the common client as untrusted ports, intercept and sniff DHCP packets from untrusted ports, drop abnormal DHCP packets from these ports, so as to filter illegal DHCP servers in the intranet.

Basic configuration example:

Switch (config) # ip dhcp snooping vlan 100,200

/* Define which VLANs enable DHCP sniffing

Switch (config) # ip dhcp snooping

Switch (config) # int fa4/10/* dhcp server port

Switch (config-if) # ip dhcp snooping trust

Switch (config) # int range fa3/1-48/* Other ports

Switch (config-if) # no ip dhcp snooping trust (Default)

Switch (config-if) # ip dhcp snooping limit rate 10 (pps)

/* Prevent DHCP Denial-of-service attacks to a certain extent