Rogue DHCP Server -- Windows 2012 R2 Domain ?

Sometimes a non-admin employee on the domain will plug their own small $20 switch into the network to plugin more device, but does not realize that device has DHCP enabled, therefore causing issues since two DHCP servers are on the same network when guests have laptops that are not on the domain

Does checking "DHCP Guard" like https://social.technet.microsoft.com/wiki/contents/articles/25695.hyper-v-and-dhcp-guard-feature.aspx talks about prevent me from having to purchase more expensive switches with "DHCP snooping" features ?

If not, what does "DHCP Guard" do ?
finance_teacherAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
DHCP Guard would stop Virtual Machines from. Offering DHCP. This is useful in a hosted multitenant situation. Not at all what you want though. You need to address this with written policies, technology (replacing switches)  or both.
random0Commented:
What are the switches you use ?
bbaoIT ConsultantCommented:
If the non-admin employee always plugs in the dumb hub at the same port, the this port should be either (1) seperated into a standalone VLAN or subnet, or (2) apply access control against DHCP traffic on the port if the connected upper-stream switch is a managed device.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

masnrockCommented:
You could always utilize something like port security, which you could use to prevent more than one device from being plugged into the same port.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
A managed switch would shut this down full-stop.
Dr. KlahnPrincipal Software EngineerCommented:
The easiest way to deal with this, which is very effective, is for the company to publish a memo:

To all employees.  The integrity and security of the company network is compromised when unauthorized devices are attached.  Starting immediately, anyone attaching an unauthorized device to the network will be terminated immediately.  No warnings will be given.  This policy applies to everyone, top to bottom.  Signed, J.E. Hoover, Security.

Then do what it says.  After the first firing the rest of the company will fall into line.  (There are security companies that will rent you "employees" that you can hire, then fire publicly with lots of fanfare!)

But the policy must be even-handed, across all employees including the CEO.  If anybody in Management does this and gets away with a slap on the wrist, all that will happen is massive resentment and "unfair treatment" lawsuits when you try to apply it to rank-and-file employees.
nociSoftware EngineerCommented:
better yet. Setup for 802.1x    this is like wifi an access control mechanism that only allows TRUSTED devices on the network.
(trust is before established....).

BTW, a switch doesn't do DHCP, a router might.  otoh you could setup some sniffers in each LAN that checks the answers it hets on DHCP probes. verifies if the MAC address is known and if not follows the MAC/CAM tables in switches to the port providing the MAC address.
After you follow the connected device you an unplug it an teke it with you..., there will be someone complaining... then you can educate them ...
if no-one complains you have a bigger problem.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.