I am looking for a way to block rogue dhcp servers on our network. We are a college campus and we have students who bring in linksys, netgear, etc. routers that are serving up dhcp on our student vlan. Is there a way I can block this so that only legitimate dhcp routers serve this vlan. Our residence halls do not currently have Cisco switches in them but they all come back to our core via fiber to a Cisco 3550. Any suggestions on how I might be able to control these rogue dhcp servers.
I do not see any way for your 3550 to block these DHCP servers. The biggest problem is that the DHCP request goes out as a layer 2 broadcast. So these servers will see the request and respond to it. Since this traffic is not dependent on the 3550 to get propagated within the VLAN it is not possible for the 3550 to block the traffic.
What problem is this causing for you? You can setup static addressing if its feasible or use static dhcp. You may also look into port security. Its a bit difficult to say if you're not using cisco switches at the access level.
The problem we are running into is that on the student vlan users will occassionally get an ip address assigned from one of these rogue routers. Our help desk will then get calls from these people complaining that thier internet does not work. We will be eventually swapping out the switches in the residence halls to Cisco equipment, but in the interim I was looking for a way to allow only legitimate dhcp servers on the student vlan.
I believe what you are looking for is DHCP snooping. It basically lets you specify which ports to allow DHCP servers on. Be sure you test it in a lab, since many people forget to allow servers on their uplinks to core switches and can break their network that way.
Now that I read your post again, there is no way to block it from the Cisco side if you have non-Cisco switches in the closets. However, DHCP snooping can protect one switch linked to the 3550 from receiving DHCP fron a different switch connected to the 3550. Long-term, if you can migrate to cisco switches the DHCP snooping option will be your best bet.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...