Solved

Blocking DHCP servers

Posted on 2007-03-29
6
437 Views
Last Modified: 2008-02-01
Is there a way I can use ACLs on a Cisco switch to block DHCP servers that are connected to it?

I woud like to physically block users from accessing ports, but we have mandated to allow some users the facility to plug in devices so I need a way of stopping addresses being distributed by unauthorised devices.

I've tried each of the following access lists on test interfaces for inbound but they all block DHCP client requests too:
access-list 101 deny   udp any eq bootps any eq bootpc
access-list 102 deny   udp any eq bootpc any eq bootps
access-list 103 deny   udp any eq bootps host 255.255.255.255 eq bootpc
access-list 104 deny   udp host 255.255.255.255 eq bootpc any eq bootps
access-list 105 permit udp host 192.168.246.10 eq bootps any eq bootpc
access-list 105 deny   udp any eq bootps any eq bootpc

Am I doing something wrong?
0
Comment
Question by:mister_lam
  • 2
6 Comments
 
LVL 9

Expert Comment

by:rshooper76
ID: 18820474
Can you explain in more detail what you are trying to do.  It sounds like you want to stop DHCP from assigning out to all but a few devices in a few certain ports?
0
 

Author Comment

by:mister_lam
ID: 18821373
Basically, our some of our users have access to plug equipment directly into our network.  If they plugged in something with a DHCP server (such as a wireless router), which has happened - it causes all sorts of problems.  I was hoping that a simple access list could be applied to all our user ports that would simply block replies from DHCP servers that they may have unwittingly plugged in.
0
 
LVL 9

Accepted Solution

by:
rshooper76 earned 63 total points
ID: 18824387
I don't think you are going to be able to block this the waty you wnt to and still have your DHCP server working properly.  Do you have control over what kind of equipmetn these user are plugging in?  You might be able to create a VLAN on the switch for these users and put them on a separate subnet, that woudl isolate them from the rest of the network.
0
 
LVL 4

Assisted Solution

by:Mark Walden
Mark Walden earned 62 total points
ID: 18858148
Cisco supports MAC Address authentication by IAS.  What model device and IOS version are you running.  I use this method to allow access to our network.  This way, unless i approve the MAC address, to switch will shutdown the port and pass not traffic.  I use Foundry devices, but HP ProCurve support this as well.  Im sure  there are others, but i have not looked into them.  Cisco has a lot of info about setting up this type of process.
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Is your computer hacked? learn how to detect and delete malware in your PC
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question