Lock down switches/network ports

Posted on 2010-09-09
Last Modified: 2012-06-27

We have a number of network ports connected to a switch that we wish to lock down so that users cannot plug their own DHCP routers into and possibly cause conflicts on our network.

We're happy for them to wirelessly enable their own apartment/room so that they can use multiple devices on that network port but we don't want to get to a situation where their equipment is offering out IP addresses to other equipment on the same network.

Is there an easy way to achieve this? We have HP switching everywhere.

Thanks in advance.
Question by:itmtsn
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +3
LVL 57

Expert Comment

ID: 33637907
Well, first of all if they connect to the correct port (the WAN/Internet) on their equipment it should not happen.  Home DSL routers don't do DHCP serving on the WAN/Internet port, the only do it on the "switch ports."

However, I'm not sure you can do it.  You would need to be able to block bootp responses coming into your switch ports and I'm not sure you can do that.


Accepted Solution

kf4zmt earned 125 total points
ID: 33638058
You could assign each switch port into it's own vlan.  This means you'd have as many vlans as you have switch ports.  Since each vlan is a separate broadcast domain, you'd be stopping the dhcp broadcast from going anywhere else.  This isn't a very elegant solution, but it would work unless you must have all the rooms in one vlan for some reason.  There may be a better solution, but this is the first that comes to mind with the information given.

LVL 12

Expert Comment

ID: 33638206
HP has a feature called spanning tree (even though the firmware written by hp isn't the best)

google it because its fairly in-depth, but in a nutshell. Any port on the switch with spanning tree enabled will shutdown if a device attempts to provide DHCP (from an unauthorised source such as client router) - Im pretty sure its exactly what your are after.
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

LVL 57

Expert Comment

ID: 33638286
Spanning tree has nothing to do with DHCP.  What spanning tree is designed to do is prevent loops within the network.  That switch A connects to switch B and B connects to C and C connects to A.  There is a loop and spanning tree will shut down either the A to C or the A to B connection.

Now using VLAN's is an good idea, if your switches support more VLAN's than you have rooms.  The other thing you could do if you used VLAN's is block the room VLAN's from communicating with each other.  That way virus can't spread from one room to another and people can't break into computers in other rooms.
LVL 12

Expert Comment

ID: 33638357
Sorry I do stand correct, Let me find what I am actually trying to refer to
LVL 24

Expert Comment

by:Brian B
ID: 33638364
Further to giltjr's post, DHCP itself is not routable. That's why those consumer-grade routers are not as big a threat. Having said that, if they plugged the uplink to your network into the switch rather than the WAN port, it could still cause problems.
LVL 12

Expert Comment

ID: 33638417
correction: DHCP snooping
LVL 57

Assisted Solution

giltjr earned 125 total points
ID: 33638717
Assuming you have HP Procurves you can follow this to code the DHCP snooping that naykam mentioned.
LVL 12

Assisted Solution

naykam earned 125 total points
ID: 33642155
Yea DHCP snooping does work well. But it also does requires a bit of config, basically because you have to configure per port

Here is an overview:

Another doc on snooping:

Its basically along the lines of:

dhcp-snooping authorized-server [ip-addr]
dhcp-snooping vlan [vlan]
no dhcp-snooping option 82
dhcp-snooping trust [interface]
LVL 12

Expert Comment

ID: 33653394
how did you go?

Author Comment

ID: 33662575
Hi :)

Thanks for all the suggestions. We're just working through them to see what offers us the best solution. I'll get back to you soon.

Thanks again!

Assisted Solution

GridLock137 earned 125 total points
ID: 33672388
what kind of switches are you running on your network?

you can use port security and specify just the first learned mac address from a device access to that port, any other device that attempts to connect will be blocked because the mac address does not match the already learned mac address, of course this works on cisco switches, i'm sure other switches may have similar port security settings you can use.

Author Closing Comment

ID: 33692596
All four solutions are valid so have split the points four ways :) Hope that's fair.

We have decided to go with the last suggestion and use port security and lock down each port to the first mac address.

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Analyze DHCP server logs 1 54
How to extreme from web browser to the internet 2 49
Recommended raid configuration for ESXi host 7 96
Linksys EA8500 3 20
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question