Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
830
Views
0
Helpful
5
Replies

Shut down switchport if DHCP request seen

Kevin Dorrell
Level 10
Level 10

‎01-28-2008 11:45 PM - edited ‎03-05-2019 08:46 PM

I would like to shut down a switchport if the attached host generates a DHCP request.

I want to discourage users from connecting network devices (e.g. SmartPhones) via the PC USB port. The PCs have fixed IP addresses so they should never use DHCP. When they plug in certain (unauthorised) devices to their USB ports, the device generates a DHCP request, but using the MAC address of the PC (so it is no good using port-security).

Catalyst 4500 running 12.2(25)EWA.

Any ideas?

Kevin Dorrell

Luxembourg

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎01-29-2008 12:28 AM

Hi Kevin

Do you want to shut the switchport down or do you just want to stop them getting an IP address ?

If you just want to stop them getting IP address and your PC's are static could you not just make sure your DHCP server is on a separate vlan and have no ip helper-address command on the client vlan interfaces ?

Jon

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to Jon Marshall

‎01-29-2008 03:00 AM

Jon,

I actually want to shut the port down. I want to provide a strong disincentive even to connect the devices unless they are authorised and correctly configured.

As it stands, I don't have any DHCP on that VLAN. There is an incoming access-list that logs any DHCP request (along with its MAC address) so I can go and tap the user on the shoulder. But they don't seem to learn. I still see DHCP requests, followed by traffic from 169.254.x.x (which is also blocked by the same access-list, and logged, together with its MAC address).

That's me, the access police !

Kevin Dorrell

Luxembourg

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to ohassairi

‎01-29-2008 03:03 AM

Thank you for that document. What I want to do is detect any DHCP request, and then kill the switchport it comes from. Can I use DHCP snooping for that, and if so, how do I configure it?

Kevin Dorrell

Luxembourg

0 Helpful

limseng80
Level 1
Level 1
In response to Kevin Dorrell

‎01-29-2008 04:21 AM

There is a limit rate command which I am unsure of how well it may work for you, if you 'll like to test it with an unbelievably low limit rate <5 pps and restrict on violation.

I have not tested this myself and I am interested to know the result too :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card