Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Shut down switchport if DHCP request seen

I would like to shut down a switchport if the attached host generates a DHCP request.

I want to discourage users from connecting network devices (e.g. SmartPhones) via the PC USB port. The PCs have fixed IP addresses so they should never use DHCP. When they plug in certain (unauthorised) devices to their USB ports, the device generates a DHCP request, but using the MAC address of the PC (so it is no good using port-security).

Catalyst 4500 running 12.2(25)EWA.

Any ideas?

Kevin Dorrell

Luxembourg

5 REPLIES
Hall of Fame Super Blue

Re: Shut down switchport if DHCP request seen

Hi Kevin

Do you want to shut the switchport down or do you just want to stop them getting an IP address ?

If you just want to stop them getting IP address and your PC's are static could you not just make sure your DHCP server is on a separate vlan and have no ip helper-address command on the client vlan interfaces ?

Jon

Re: Shut down switchport if DHCP request seen

Jon,

I actually want to shut the port down. I want to provide a strong disincentive even to connect the devices unless they are authorised and correctly configured.

As it stands, I don't have any DHCP on that VLAN. There is an incoming access-list that logs any DHCP request (along with its MAC address) so I can go and tap the user on the shoulder. But they don't seem to learn. I still see DHCP requests, followed by traffic from 169.254.x.x (which is also blocked by the same access-list, and logged, together with its MAC address).

That's me, the access police !

Kevin Dorrell

Luxembourg

Silver

Re: Shut down switchport if DHCP request seen

Re: Shut down switchport if DHCP request seen

Thank you for that document. What I want to do is detect any DHCP request, and then kill the switchport it comes from. Can I use DHCP snooping for that, and if so, how do I configure it?

Kevin Dorrell

Luxembourg

Community Member

Re: Shut down switchport if DHCP request seen

There is a limit rate command which I am unsure of how well it may work for you, if you 'll like to test it with an unbelievably low limit rate <5 pps and restrict on violation.

I have not tested this myself and I am interested to know the result too :)

321
Views
0
Helpful
5
Replies
CreatePlease to create content