Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Blocking DHCP servers

Posted on 2007-03-29
6
Medium Priority
?
440 Views
Last Modified: 2008-02-01
Is there a way I can use ACLs on a Cisco switch to block DHCP servers that are connected to it?

I woud like to physically block users from accessing ports, but we have mandated to allow some users the facility to plug in devices so I need a way of stopping addresses being distributed by unauthorised devices.

I've tried each of the following access lists on test interfaces for inbound but they all block DHCP client requests too:
access-list 101 deny   udp any eq bootps any eq bootpc
access-list 102 deny   udp any eq bootpc any eq bootps
access-list 103 deny   udp any eq bootps host 255.255.255.255 eq bootpc
access-list 104 deny   udp host 255.255.255.255 eq bootpc any eq bootps
access-list 105 permit udp host 192.168.246.10 eq bootps any eq bootpc
access-list 105 deny   udp any eq bootps any eq bootpc

Am I doing something wrong?
0
Comment
Question by:mister_lam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 9

Expert Comment

by:rshooper76
ID: 18820474
Can you explain in more detail what you are trying to do.  It sounds like you want to stop DHCP from assigning out to all but a few devices in a few certain ports?
0
 

Author Comment

by:mister_lam
ID: 18821373
Basically, our some of our users have access to plug equipment directly into our network.  If they plugged in something with a DHCP server (such as a wireless router), which has happened - it causes all sorts of problems.  I was hoping that a simple access list could be applied to all our user ports that would simply block replies from DHCP servers that they may have unwittingly plugged in.
0
 
LVL 9

Accepted Solution

by:
rshooper76 earned 252 total points
ID: 18824387
I don't think you are going to be able to block this the waty you wnt to and still have your DHCP server working properly.  Do you have control over what kind of equipmetn these user are plugging in?  You might be able to create a VLAN on the switch for these users and put them on a separate subnet, that woudl isolate them from the rest of the network.
0
 
LVL 4

Assisted Solution

by:Mark Walden
Mark Walden earned 248 total points
ID: 18858148
Cisco supports MAC Address authentication by IAS.  What model device and IOS version are you running.  I use this method to allow access to our network.  This way, unless i approve the MAC address, to switch will shutdown the port and pass not traffic.  I use Foundry devices, but HP ProCurve support this as well.  Im sure  there are others, but i have not looked into them.  Cisco has a lot of info about setting up this type of process.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So, you're experiencing issues on your network and you've decided that you need to perform some tests to determine whether your cabling is good.  You're likely thinking that you may need to spend money which you probably don't have on hiring/purchas…
Transparency shows that a company is the kind of business that it wants people to think it is.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question