Lock down switches/network ports


We have a number of network ports connected to a switch that we wish to lock down so that users cannot plug their own DHCP routers into and possibly cause conflicts on our network.

We're happy for them to wirelessly enable their own apartment/room so that they can use multiple devices on that network port but we don't want to get to a situation where their equipment is offering out IP addresses to other equipment on the same network.

Is there an easy way to achieve this? We have HP switching everywhere.

Thanks in advance.
Who is Participating?
kf4zmtConnect With a Mentor Commented:
You could assign each switch port into it's own vlan.  This means you'd have as many vlans as you have switch ports.  Since each vlan is a separate broadcast domain, you'd be stopping the dhcp broadcast from going anywhere else.  This isn't a very elegant solution, but it would work unless you must have all the rooms in one vlan for some reason.  There may be a better solution, but this is the first that comes to mind with the information given.

Well, first of all if they connect to the correct port (the WAN/Internet) on their equipment it should not happen.  Home DSL routers don't do DHCP serving on the WAN/Internet port, the only do it on the "switch ports."

However, I'm not sure you can do it.  You would need to be able to block bootp responses coming into your switch ports and I'm not sure you can do that.

HP has a feature called spanning tree (even though the firmware written by hp isn't the best)

google it because its fairly in-depth, but in a nutshell. Any port on the switch with spanning tree enabled will shutdown if a device attempts to provide DHCP (from an unauthorised source such as client router) - Im pretty sure its exactly what your are after.
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Spanning tree has nothing to do with DHCP.  What spanning tree is designed to do is prevent loops within the network.  That switch A connects to switch B and B connects to C and C connects to A.  There is a loop and spanning tree will shut down either the A to C or the A to B connection.

Now using VLAN's is an good idea, if your switches support more VLAN's than you have rooms.  The other thing you could do if you used VLAN's is block the room VLAN's from communicating with each other.  That way virus can't spread from one room to another and people can't break into computers in other rooms.
Sorry I do stand correct, Let me find what I am actually trying to refer to
Brian BIndependant Technology ProfessionalCommented:
Further to giltjr's post, DHCP itself is not routable. That's why those consumer-grade routers are not as big a threat. Having said that, if they plugged the uplink to your network into the switch rather than the WAN port, it could still cause problems.
correction: DHCP snooping
giltjrConnect With a Mentor Commented:
Assuming you have HP Procurves you can follow this to code the DHCP snooping that naykam mentioned.

naykamConnect With a Mentor Commented:
Yea DHCP snooping does work well. But it also does requires a bit of config, basically because you have to configure per port

Here is an overview: http://en.wikipedia.org/wiki/DHCP_snooping

Another doc on snooping: http://goo.gl/vA0i

Its basically along the lines of:

dhcp-snooping authorized-server [ip-addr]
dhcp-snooping vlan [vlan]
no dhcp-snooping option 82
dhcp-snooping trust [interface]
how did you go?
itmtsnAuthor Commented:
Hi :)

Thanks for all the suggestions. We're just working through them to see what offers us the best solution. I'll get back to you soon.

Thanks again!
GridLock137Connect With a Mentor Commented:
what kind of switches are you running on your network?

you can use port security and specify just the first learned mac address from a device access to that port, any other device that attempts to connect will be blocked because the mac address does not match the already learned mac address, of course this works on cisco switches, i'm sure other switches may have similar port security settings you can use.
itmtsnAuthor Commented:
All four solutions are valid so have split the points four ways :) Hope that's fair.

We have decided to go with the last suggestion and use port security and lock down each port to the first mac address.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.