[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 612
  • Last Modified:

Prevent additional DHCP Service

Hi,
Internet services are being provided to 100 individual housing rooms in a building via a router that runs dhcp & a managed switch by enabling the specific ports on the managed switch that correspond to that room. The question is how to deal with the issue & possibility that users will plug in their own routers running dhcp & thus messing up the network for everybody?
0
yohayon
Asked:
yohayon
  • 8
  • 4
  • 2
  • +2
1 Solution
 
BillBondoCommented:
Have them frisked at the front door! I dont think you can. Ive had it happen to me and its frustrating to say the least. Set every one to static addresses.
0
 
yohayonAuthor Commented:
Do you mean that I can configure the ports on the managed switches to grab a specific ip address from the router by mac address?
0
 
netballiCommented:
You cannot stop the user from using their own router but you can Limit bandwidth on a  switch port so that if the room user tries to add additional routers the shared connection will still be limited by the set bandwidth.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
yohayonAuthor Commented:
Thank you. The bandwidth is not my issue but rather multiple dhcp servers on one network. Ideas?
0
 
TunerMLCommented:
I think his problem really is that it's a single broadcast network, therefore a user attaching a router which has DHCP enabled has the possibility to make everything go haywire, because computers send out a broadcast and the first DHCP server that responds wins. Sounds like a VLAN issue.
0
 
netballiCommented:
The only possible solution is to issue a static ip address to all rooms and eliminate any DHCP service all together.
0
 
yohayonAuthor Commented:
Where is that configured?
0
 
BillBondoCommented:
Disable dhcp on the router and on the work stations set the ip and default routes
0
 
yohayonAuthor Commented:
I don't have access to workstations. Can this be set on the router based on mac addresses of switch port?
0
 
unfragmentedCommented:
What you have described is known in the network security industry as DHCP spoofing.  It can occur maliciously, accidentally, or through ignorance.

A decent managed switch will have dhcp snooping capabilities that can protect against DHCP spoofing.  See DHCP Snooping wiki article.  

edit1:

All current Cisco switches designed for LAN Access support dhcp snooping.

Don't use static addressing - it adds a huge management overhead.  There are very few good reasons to give users statically configured addresses in a properly designed network.

Don't worry about your vlanning either.  Vlan design needs to be considered, but its not an answer to the problem you've described.
0
 
yohayonAuthor Commented:
Unfragmented, in the scenario I have described above, how does one also prevent a virus from spreading if all PC's are on the same network?
0
 
unfragmentedCommented:
To prevent cross-infection on the same vlan, you could use private vlans.  See here for explanation: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swpvlan.html#wp1038379

The common use case is to prevent cross-infection of servers in a dmz vlan.  This sounds like your issue, except, that instead of servers, you have workstations.
0
 
yohayonAuthor Commented:
Thx! If using private vlan, then no need to worry about using DHCP Snooping? Is that right?
0
 
unfragmentedCommented:
Yes thats right.  For situations where all user-to-user traffic should be blocked, pvlans are the way to go.  

If general user-to-user traffic is necessary, but you still need protection from rogue DHCP servers, then DHCP snooping is the way to go.
0
 
yohayonAuthor Commented:
Any managed switch that supports vlans can perform private vlan function?
0
 
unfragmentedCommented:
Private vlans is a Cisco term - I'd expect to find it on Cisco switches only.  

That said, I was recently reading rfc4562 titled "MAC-Forced Forwarding:  A Method for Subscriber Separation on an Ethernet Access Network".  It seems to describe the same functionality as private vlans, but uses a different mechanism.  If you wanted non Cisco, it might be worth reading up on this.  Thats about all I can tell you about it though.
0
 
yohayonAuthor Commented:
Thx. This link shows difference between Port isolate vs. Mac Forced Forwarding
http://www.kuncar.net/blog/mac-forced-forwarding/2009/
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 8
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now