Shut down switchport if DHCP request seen

Unanswered Question
Jan 28th, 2008

I would like to shut down a switchport if the attached host generates a DHCP request.

I want to discourage users from connecting network devices (e.g. SmartPhones) via the PC USB port. The PCs have fixed IP addresses so they should never use DHCP. When they plug in certain (unauthorised) devices to their USB ports, the device generates a DHCP request, but using the MAC address of the PC (so it is no good using port-security).

Catalyst 4500 running 12.2(25)EWA.

Any ideas?

Kevin Dorrell


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 01/29/2008 - 00:28

Hi Kevin

Do you want to shut the switchport down or do you just want to stop them getting an IP address ?

If you just want to stop them getting IP address and your PC's are static could you not just make sure your DHCP server is on a separate vlan and have no ip helper-address command on the client vlan interfaces ?


Kevin Dorrell Tue, 01/29/2008 - 03:00


I actually want to shut the port down. I want to provide a strong disincentive even to connect the devices unless they are authorised and correctly configured.

As it stands, I don't have any DHCP on that VLAN. There is an incoming access-list that logs any DHCP request (along with its MAC address) so I can go and tap the user on the shoulder. But they don't seem to learn. I still see DHCP requests, followed by traffic from 169.254.x.x (which is also blocked by the same access-list, and logged, together with its MAC address).

That's me, the access police !

Kevin Dorrell


Kevin Dorrell Tue, 01/29/2008 - 03:03

Thank you for that document. What I want to do is detect any DHCP request, and then kill the switchport it comes from. Can I use DHCP snooping for that, and if so, how do I configure it?

Kevin Dorrell


limseng80 Tue, 01/29/2008 - 04:21

There is a limit rate command which I am unsure of how well it may work for you, if you 'll like to test it with an unbelievably low limit rate <5 pps and restrict on violation.

I have not tested this myself and I am interested to know the result too :)


This Discussion