Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Rogue Dhcp

Hi all,

I am looking for a way to block rogue dhcp servers on our network. We are a college campus and we have students who bring in linksys, netgear, etc. routers that are serving up dhcp on our student vlan. Is there a way I can block this so that only legitimate dhcp routers serve this vlan. Our residence halls do not currently have Cisco switches in them but they all come back to our core via fiber to a Cisco 3550. Any suggestions on how I might be able to control these rogue dhcp servers.

Thanks in advance.

Jeff

5 REPLIES
Hall of Fame Super Gold

Re: Rogue Dhcp

Jeff

I do not see any way for your 3550 to block these DHCP servers. The biggest problem is that the DHCP request goes out as a layer 2 broadcast. So these servers will see the request and respond to it. Since this traffic is not dependent on the 3550 to get propagated within the VLAN it is not possible for the 3550 to block the traffic.

HTH

Rick

New Member

Re: Rogue Dhcp

What problem is this causing for you? You can setup static addressing if its feasible or use static dhcp. You may also look into port security. Its a bit difficult to say if you're not using cisco switches at the access level.

New Member

Re: Rogue Dhcp

The problem we are running into is that on the student vlan users will occassionally get an ip address assigned from one of these rogue routers. Our help desk will then get calls from these people complaining that thier internet does not work. We will be eventually swapping out the switches in the residence halls to Cisco equipment, but in the interim I was looking for a way to allow only legitimate dhcp servers on the student vlan.

Thanks.

Jeff

Silver

Re: Rogue Dhcp

I believe what you are looking for is DHCP snooping. It basically lets you specify which ports to allow DHCP servers on. Be sure you test it in a lab, since many people forget to allow servers on their uplinks to core switches and can break their network that way.

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00802cb633.html#wp1078853

-EDIT-

Now that I read your post again, there is no way to block it from the Cisco side if you have non-Cisco switches in the closets. However, DHCP snooping can protect one switch linked to the 3550 from receiving DHCP fron a different switch connected to the 3550. Long-term, if you can migrate to cisco switches the DHCP snooping option will be your best bet.

-Eric

Please remember to rate all helpful posts.

New Member

Re: Rogue Dhcp

Thanks for your suggestions. It looks like I will have to push to get Cisco's in those res hall closets.

Thanks again.

Jeff

846
Views
8
Helpful
5
Replies
CreatePlease to create content