Linksys SRW2048 Managed Switch and blocking DHCP requests.

[multiband8303]

Short and sweet,

I am installing and configuring this managed switch for an apartment complex. The main issue is people install there own DHCP devices and it screws up the network consistently.

I want to have a managed switch with an ACL to block DHCP requests. This will do the trick correct? If so, I see where it says ACL on the web interface but I'm unsure how I can specifically allow all other sorts of traffic and just deny DHCP "spanning" so that other devices only pick up the source DHCP (the switch itself) so that it configures the correct gateway and DNS information.

 

[spidey07]

The switch will have to look into layer3 to do the ACL correctly. Essentially you'd block any DHCP server replies from all ports except the true dhcp server port. The switch may also have a feature to detect this and shut down the port. Cisco calls it DHCP guard or snooping.

I assume you're talking about rogue DHCP servers where user machines or devices hand out incorrect ip addresses, dns, etc?

 

[multiband8303]

You got it,

I see in the ACl or where I can permit dny or shutdown via routing protocols or via UDP statements.

Would I simply just DENY 67-68 and push that through. But on the other end, my gateway device (which is just a linksys WRT54G router, and also the TRUE DHCP server) how would the switch be smart enough to pass that through? Mac based filtering? Or should I simply throw that router out the window and use this as the gateway device itself?

 

[spidey07]

Be careful with access lists. Normally when you create one there is an inmplicit "DENY ANY ANY" at the end and you'll want to put a "permit any any" at the end of the ACL or you're going to lock your self out of the switch. I don't know what UDP port numbers dhcp uses but if it's 67 and 68 the ACL would look like this:

1) deny any source IP with UDP source port of 67 to any destination
2) deny any source IP with UDP source port of 68 to any destination
3) allow any ip to any ip

Then apply this ACL INBOUND to all the ports you don't want a dhcp server running on, just leave the ACL off the port with the real DHCP server.

 

[multiband8303]

Really in all actuality, shouldn't I just throw the router out the window? And setup a VLAN for the gateway from the ISP "modem" on the switch itself?

 

[multiband8303]

Originally posted by: spidey07
Be careful with access lists. Normally when you create one there is an inmplicit "DENY ANY ANY" at the end and you'll want to put a "permit any any" at the end of the ACL or you're going to lock your self out of the switch. I don't know what UDP port numbers dhcp uses but if it's 67 and 68 the ACL would look like this:

1) deny any source IP with UDP source port of 67 to any destination
2) deny any source IP with UDP source port of 68 to any destination
3) allow any ip to any ip

Then apply this ACL INBOUND to all the ports you don't want a dhcp server running on, just leave the ACL off the port with the real DHCP server.

Also unfortunately IOS is not available on this switch, you are pretty much forced to use the Web Interface.

 

[multiband8303]

Still need help on this.

 

[multiband8303]

The problem with this switch is that you cannot bind more then one ACL port...

I made an ACl that permits any any on port 1 - where the router will be plugged into which I want the DHCP to span, but if I make an ACL that denies DHCP (68-67) on the other ports, it won't pick up the true DHCP request and span it down.

 

[multiband8303]

Also on this web management console, its like you can only bind one ACL per port. Very strange.

 

[multiband8303]

Originally posted by: spidey07
Be careful with access lists. Normally when you create one there is an inmplicit "DENY ANY ANY" at the end and you'll want to put a "permit any any" at the end of the ACL or you're going to lock your self out of the switch. I don't know what UDP port numbers dhcp uses but if it's 67 and 68 the ACL would look like this:

1) deny any source IP with UDP source port of 67 to any destination
2) deny any source IP with UDP source port of 68 to any destination
3) allow any ip to any ip

Then apply this ACL INBOUND to all the ports you don't want a dhcp server running on, just leave the ACL off the port with the real DHCP server.

Won't this prevent from client workstations from actually listening in on the port to receive an authentic DHCP request?

 

[spidey07]

no, that's why the ACL is to be applied INBOUND on the switch port. Notice only a source port of udp 67/68 - only a server would use that and you're trying to prevent dhcp servers on these ports.

 

[multiband8303]

I did that ACL - and when I remove the true DHCP device and do a release renew with a rogue DHCP server in there - it still gives me the incorrect address.

 

[multiband8303]

What other ports do DHCP devices use? How I am simulating it is this way.

I have a true DHCP device which is on port 1 - the one I want everyone to have, this has an ACL is permit any any, it works fine.

I plug in another DHCP device (IE Wireless Router, just like a resident would in the complex) to another port on the switch which has the ACL that you specified.

I also have a workstation plugged into another port with the same ACL as the "Rogue DHCP device"

When I unplug my TRUE router, and do release renew, I get the IP address of the rogue DHCP device.

Here is my ACL

Permit Any 0.0.0.0 0.0.0.0
Deny UDP 67 Any 0.0.0.0 0.0.0.0
Deny UDP 68 Any 0.0.0.0 0.0.0.0

 

[spidey07]

Your in luck, I'm bored. Here's what a packet trace of DHCP looks like. clnt = client, svr = svr
1) clnt sends broadcast udp src = 68, udp dst = 67
2) svr send offer, udp src = 67, udp dst = 68
3) clnt sends request, udp src 68, udp dst = 67
4) svr sends ack, udp src 67, udp dst = 68

So, all you need to do is block any UDP source port of 67 INBOUND on ports you don't want a rogue dhcp server on.

 

[multiband8303]

So if My acl simply states deny UDP source 67 from any address to any address and apply that ACL to a port where I dont want rogue DHCP devices on, I should be good to go?

 

[multiband8303]

Originally posted by: spidey07
Your in luck, I'm bored. Here's what a packet trace of DHCP looks like. clnt = client, svr = svr
1) clnt sends broadcast udp src = 68, udp dst = 67
2) svr send offer, udp src = 67, udp dst = 68
3) clnt sends request, udp src 68, udp dst = 67
4) svr sends ack, udp src 67, udp dst = 68

So, all you need to do is block any UDP source port of 67 INBOUND on ports you don't want a rogue dhcp server on.

Spidey07, you are the man. It works!

Drink a cold one on me!