Solved

Blocking DHCP servers

Posted on 2007-03-29
6
436 Views
Last Modified: 2008-02-01
Is there a way I can use ACLs on a Cisco switch to block DHCP servers that are connected to it?

I woud like to physically block users from accessing ports, but we have mandated to allow some users the facility to plug in devices so I need a way of stopping addresses being distributed by unauthorised devices.

I've tried each of the following access lists on test interfaces for inbound but they all block DHCP client requests too:
access-list 101 deny   udp any eq bootps any eq bootpc
access-list 102 deny   udp any eq bootpc any eq bootps
access-list 103 deny   udp any eq bootps host 255.255.255.255 eq bootpc
access-list 104 deny   udp host 255.255.255.255 eq bootpc any eq bootps
access-list 105 permit udp host 192.168.246.10 eq bootps any eq bootpc
access-list 105 deny   udp any eq bootps any eq bootpc

Am I doing something wrong?
0
Comment
Question by:mister_lam
  • 2
6 Comments
 
LVL 9

Expert Comment

by:rshooper76
ID: 18820474
Can you explain in more detail what you are trying to do.  It sounds like you want to stop DHCP from assigning out to all but a few devices in a few certain ports?
0
 

Author Comment

by:mister_lam
ID: 18821373
Basically, our some of our users have access to plug equipment directly into our network.  If they plugged in something with a DHCP server (such as a wireless router), which has happened - it causes all sorts of problems.  I was hoping that a simple access list could be applied to all our user ports that would simply block replies from DHCP servers that they may have unwittingly plugged in.
0
 
LVL 9

Accepted Solution

by:
rshooper76 earned 63 total points
ID: 18824387
I don't think you are going to be able to block this the waty you wnt to and still have your DHCP server working properly.  Do you have control over what kind of equipmetn these user are plugging in?  You might be able to create a VLAN on the switch for these users and put them on a separate subnet, that woudl isolate them from the rest of the network.
0
 
LVL 4

Assisted Solution

by:Mark Walden
Mark Walden earned 62 total points
ID: 18858148
Cisco supports MAC Address authentication by IAS.  What model device and IOS version are you running.  I use this method to allow access to our network.  This way, unless i approve the MAC address, to switch will shutdown the port and pass not traffic.  I use Foundry devices, but HP ProCurve support this as well.  Im sure  there are others, but i have not looked into them.  Cisco has a lot of info about setting up this type of process.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question