Solved

Blocking DHCP servers

Posted on 2007-03-29
6
433 Views
Last Modified: 2008-02-01
Is there a way I can use ACLs on a Cisco switch to block DHCP servers that are connected to it?

I woud like to physically block users from accessing ports, but we have mandated to allow some users the facility to plug in devices so I need a way of stopping addresses being distributed by unauthorised devices.

I've tried each of the following access lists on test interfaces for inbound but they all block DHCP client requests too:
access-list 101 deny   udp any eq bootps any eq bootpc
access-list 102 deny   udp any eq bootpc any eq bootps
access-list 103 deny   udp any eq bootps host 255.255.255.255 eq bootpc
access-list 104 deny   udp host 255.255.255.255 eq bootpc any eq bootps
access-list 105 permit udp host 192.168.246.10 eq bootps any eq bootpc
access-list 105 deny   udp any eq bootps any eq bootpc

Am I doing something wrong?
0
Comment
Question by:mister_lam
  • 2
6 Comments
 
LVL 9

Expert Comment

by:rshooper76
ID: 18820474
Can you explain in more detail what you are trying to do.  It sounds like you want to stop DHCP from assigning out to all but a few devices in a few certain ports?
0
 

Author Comment

by:mister_lam
ID: 18821373
Basically, our some of our users have access to plug equipment directly into our network.  If they plugged in something with a DHCP server (such as a wireless router), which has happened - it causes all sorts of problems.  I was hoping that a simple access list could be applied to all our user ports that would simply block replies from DHCP servers that they may have unwittingly plugged in.
0
 
LVL 9

Accepted Solution

by:
rshooper76 earned 63 total points
ID: 18824387
I don't think you are going to be able to block this the waty you wnt to and still have your DHCP server working properly.  Do you have control over what kind of equipmetn these user are plugging in?  You might be able to create a VLAN on the switch for these users and put them on a separate subnet, that woudl isolate them from the rest of the network.
0
 
LVL 4

Assisted Solution

by:Mark Walden
Mark Walden earned 62 total points
ID: 18858148
Cisco supports MAC Address authentication by IAS.  What model device and IOS version are you running.  I use this method to allow access to our network.  This way, unless i approve the MAC address, to switch will shutdown the port and pass not traffic.  I use Foundry devices, but HP ProCurve support this as well.  Im sure  there are others, but i have not looked into them.  Cisco has a lot of info about setting up this type of process.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
MSP multi use software 4 110
Netscaler: Troubleshooting servers not taking traffic 3 37
ssh setup on Cisco swith 11 43
After relocating dns server, the ip address is incorrect 19 28
A Wildcard Certificate means all of your sub-domains will resolve to the same location, regardless of the non-SSL Document-Root specification. A user will need to purchase a wildcard SSL from a vendor or a reseller that supplies them. Similar to ha…
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Edureka is one of the fastest growing and most effective online learning sites.  We are here to help you succeed.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now