Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
281
Views
0
Helpful
2
Replies

DHCP Problem

nitinj
Level 1
Level 1

‎04-04-2006 08:56 AM - edited ‎03-03-2019 12:17 PM

Hi All, I have a problem with DHCP server..actually there is one DHCP server in my network which provides IPs to my clients in networks...but the thing is that some users bring their ADSL router & they connect it into the network..without disabling the DHCP server..now some of my client takes the IP from that DHCP instead of mine DHCP server...can any one tell me how to block these type of Routers to provide IPs to client...

there r so many users which connect ADSL routers in network..so I can not block with IPs...

Regards

NK

Labels:
0 Helpful
2 Replies 2

mheusinger
Level 10
Level 10

‎04-04-2006 09:05 AM

Hello,

what type of LAN switches do you have?

You might want to enable some security features. You could f.e. allow only one MAC on a port and error disable it, when a second MAC shows up. This would pretty much stop user from connecting their DSL routers.

Also shutdown all unused ports (if this is feasible in your environment).

In some switches you could also block unwanted traffic like DHCP with access-lists applied to access-ports.

Hope this helps! PLease rate all posts.

Regards, Martin

0 Helpful

Nicholas Vigil
Level 1
Level 1

‎04-04-2006 09:24 AM

You might want to use Cisco VACLs to prevent rogue DHCP servers. For example, on a CAT os switch:

set security acl ip ROGUE-DHCP permit udp host 123.456.789.1 any eq 68

set security acl ip ROGUE-DHCP deny udp any any eq 68

set security acl ip ROGUE-DHCP permit ip any any

Another option is DHCP snooping. Some Cisco switches offer the ability to suppress certain types of DHCP information on certain ports. The primary feature enabling this functionality is DHCP snooping. DHCP snooping works by separating trusted from untrusted interfaces on a switch. Trusted interfaces are allowed to respond to DHCP requests; untrusted interfaces are not. The switch keeps track of the untrusted port’s DHCP bindings and rate limits the DHCP messages to a certain speed.

The first task in configuring DHCP snooping is to enable it:

Switch(config)#ip dhcp snooping

From here, DHCP snooping must be enabled for specific VLANs:

Switch(config)#ip dhcp snooping vlan number [number]

To set up the trusted ports at the interface level, ports must be defined as trusted or untrusted using the following command:

Switch(config-if)# ip dhcp snooping trust

Untrusted ports can be optionally configured with a rate limit on the amount of DHCP messages allowed per second:

Switch(config-if)# ip dhcp snooping limit rate rate

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card