Prevent additional DHCP Service

Hi,
Internet services are being provided to 100 individual housing rooms in a building via a router that runs dhcp & a managed switch by enabling the specific ports on the managed switch that correspond to that room. The question is how to deal with the issue & possibility that users will plug in their own routers running dhcp & thus messing up the network for everybody?
yohayonAsked:
Who is Participating?
 
unfragmentedCommented:
What you have described is known in the network security industry as DHCP spoofing.  It can occur maliciously, accidentally, or through ignorance.

A decent managed switch will have dhcp snooping capabilities that can protect against DHCP spoofing.  See DHCP Snooping wiki article.  

edit1:

All current Cisco switches designed for LAN Access support dhcp snooping.

Don't use static addressing - it adds a huge management overhead.  There are very few good reasons to give users statically configured addresses in a properly designed network.

Don't worry about your vlanning either.  Vlan design needs to be considered, but its not an answer to the problem you've described.
0
 
BillBondoCommented:
Have them frisked at the front door! I dont think you can. Ive had it happen to me and its frustrating to say the least. Set every one to static addresses.
0
 
yohayonAuthor Commented:
Do you mean that I can configure the ports on the managed switches to grab a specific ip address from the router by mac address?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
netballiCommented:
You cannot stop the user from using their own router but you can Limit bandwidth on a  switch port so that if the room user tries to add additional routers the shared connection will still be limited by the set bandwidth.
0
 
yohayonAuthor Commented:
Thank you. The bandwidth is not my issue but rather multiple dhcp servers on one network. Ideas?
0
 
TunerMLSystems EngineerCommented:
I think his problem really is that it's a single broadcast network, therefore a user attaching a router which has DHCP enabled has the possibility to make everything go haywire, because computers send out a broadcast and the first DHCP server that responds wins. Sounds like a VLAN issue.
0
 
netballiCommented:
The only possible solution is to issue a static ip address to all rooms and eliminate any DHCP service all together.
0
 
yohayonAuthor Commented:
Where is that configured?
0
 
BillBondoCommented:
Disable dhcp on the router and on the work stations set the ip and default routes
0
 
yohayonAuthor Commented:
I don't have access to workstations. Can this be set on the router based on mac addresses of switch port?
0
 
yohayonAuthor Commented:
Unfragmented, in the scenario I have described above, how does one also prevent a virus from spreading if all PC's are on the same network?
0
 
unfragmentedCommented:
To prevent cross-infection on the same vlan, you could use private vlans.  See here for explanation: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swpvlan.html#wp1038379

The common use case is to prevent cross-infection of servers in a dmz vlan.  This sounds like your issue, except, that instead of servers, you have workstations.
0
 
yohayonAuthor Commented:
Thx! If using private vlan, then no need to worry about using DHCP Snooping? Is that right?
0
 
unfragmentedCommented:
Yes thats right.  For situations where all user-to-user traffic should be blocked, pvlans are the way to go.  

If general user-to-user traffic is necessary, but you still need protection from rogue DHCP servers, then DHCP snooping is the way to go.
0
 
yohayonAuthor Commented:
Any managed switch that supports vlans can perform private vlan function?
0
 
unfragmentedCommented:
Private vlans is a Cisco term - I'd expect to find it on Cisco switches only.  

That said, I was recently reading rfc4562 titled "MAC-Forced Forwarding:  A Method for Subscriber Separation on an Ethernet Access Network".  It seems to describe the same functionality as private vlans, but uses a different mechanism.  If you wanted non Cisco, it might be worth reading up on this.  Thats about all I can tell you about it though.
0
 
yohayonAuthor Commented:
Thx. This link shows difference between Port isolate vs. Mac Forced Forwarding
http://www.kuncar.net/blog/mac-forced-forwarding/2009/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.