Solved

Blocking DHCP servers

Posted on 2007-03-29
6
435 Views
Last Modified: 2008-02-01
Is there a way I can use ACLs on a Cisco switch to block DHCP servers that are connected to it?

I woud like to physically block users from accessing ports, but we have mandated to allow some users the facility to plug in devices so I need a way of stopping addresses being distributed by unauthorised devices.

I've tried each of the following access lists on test interfaces for inbound but they all block DHCP client requests too:
access-list 101 deny   udp any eq bootps any eq bootpc
access-list 102 deny   udp any eq bootpc any eq bootps
access-list 103 deny   udp any eq bootps host 255.255.255.255 eq bootpc
access-list 104 deny   udp host 255.255.255.255 eq bootpc any eq bootps
access-list 105 permit udp host 192.168.246.10 eq bootps any eq bootpc
access-list 105 deny   udp any eq bootps any eq bootpc

Am I doing something wrong?
0
Comment
Question by:mister_lam
  • 2
6 Comments
 
LVL 9

Expert Comment

by:rshooper76
ID: 18820474
Can you explain in more detail what you are trying to do.  It sounds like you want to stop DHCP from assigning out to all but a few devices in a few certain ports?
0
 

Author Comment

by:mister_lam
ID: 18821373
Basically, our some of our users have access to plug equipment directly into our network.  If they plugged in something with a DHCP server (such as a wireless router), which has happened - it causes all sorts of problems.  I was hoping that a simple access list could be applied to all our user ports that would simply block replies from DHCP servers that they may have unwittingly plugged in.
0
 
LVL 9

Accepted Solution

by:
rshooper76 earned 63 total points
ID: 18824387
I don't think you are going to be able to block this the waty you wnt to and still have your DHCP server working properly.  Do you have control over what kind of equipmetn these user are plugging in?  You might be able to create a VLAN on the switch for these users and put them on a separate subnet, that woudl isolate them from the rest of the network.
0
 
LVL 4

Assisted Solution

by:Mark Walden
Mark Walden earned 62 total points
ID: 18858148
Cisco supports MAC Address authentication by IAS.  What model device and IOS version are you running.  I use this method to allow access to our network.  This way, unless i approve the MAC address, to switch will shutdown the port and pass not traffic.  I use Foundry devices, but HP ProCurve support this as well.  Im sure  there are others, but i have not looked into them.  Cisco has a lot of info about setting up this type of process.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
integration of incident management and linking to CMDB 1 43
DHCP Server 14 88
CCNA lab 6 37
Can another NTP server respond when connecting to an NTP server? 8 24
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question