Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Block a DHCP server

Reply
Thread Tools

Block a DHCP server

 
 
Jeremy Whitley
Guest
Posts: n/a
 
      10-31-2003
My company recently took over management of several networks that are at
off-campus student housing locations for some universities. These
properties have a PIX firewall that acts as a DHCP server, and the students
get access to the network through some 2950 switches.

My problem is this. Occasionally the students will connect a DHCP server to
the network, whether intentional or unintentional. That device will then
serve IP addresses that are not in the correct range. Is there any way that
I can block those devices, or configure my switches so that all DHCP
requests will go only to my PIX?

Thanks in advance.

--
Jeremy Whitley


--
Jeremy Whitley




 
Reply With Quote
 
 
 
 
John Smith
Guest
Posts: n/a
 
      10-31-2003
Hmm, this one could be a challenge.

Use DHCP reservations with long lease times?
Post enforceable policies on your usage information web sites.
You could automate the discovery of the rouge DHCP server PCs then disconnect
them from your network.
You could VLAN each port and give them a unique TCP/IP subnet, then control the
forwarding of DHCP requests to servers you manage. This may not be possible if
you lots of clients or limitations on the number of VLANs or routes segments
supported on your switch. Not to mention dramatically increase the number of
scopes you manage.






"Jeremy Whitley" <(E-Mail Removed)> wrote in message
news:9Bxob.33215$(E-Mail Removed). com...
> My company recently took over management of several networks that are at
> off-campus student housing locations for some universities. These
> properties have a PIX firewall that acts as a DHCP server, and the students
> get access to the network through some 2950 switches.
>
> My problem is this. Occasionally the students will connect a DHCP server to
> the network, whether intentional or unintentional. That device will then
> serve IP addresses that are not in the correct range. Is there any way that
> I can block those devices, or configure my switches so that all DHCP
> requests will go only to my PIX?
>
> Thanks in advance.
>
> --
> Jeremy Whitley
>
>
> --
> Jeremy Whitley
>
>
>
>



 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-31-2003
In article <9Bxob.33215$(E-Mail Removed)> ,
Jeremy Whitley <(E-Mail Removed)> wrote:
:My company recently took over management of several networks that are at
ff-campus student housing locations for some universities. These
roperties have a PIX firewall that acts as a DHCP server, and the students
:get access to the network through some 2950 switches.

:My problem is this. Occasionally the students will connect a DHCP server to
:the network, whether intentional or unintentional. That device will then
:serve IP addresses that are not in the correct range. Is there any way that
:I can block those devices, or configure my switches so that all DHCP
:requests will go only to my PIX?

If your 2950 have EI, then you can set up an ACL on the ports.
You have to be a bit careful, though, in that DHCP is a subset of
the bootp protocol, so if the hosts have legitimate use of bootp
then distinguishing could be tricky. bootp has uses for remote
booting, such as of "diskless" stations, or of remotely obtaining
installation tools [e.g., for installing SGI's IRIX from a remote
system.] You might be able to get away with just not allowing those
uses, perhaps.

http://www.cisco.com/en/US/products/...080150b7b.html

The models that have EI software are the 2950G series, 2950C series,
and the 2950T-24 . In particular, the 2950T-48 does NOT have EI,
and the models with no letters or with SX do not have it either.
The models that have SI (Standard Image) CANNOT be upgraded to EI.

http://www.cisco.com/warp/public/cc/...t/sssis_ds.htm

http://www.cisco.com/warp/public/cc/...t/sseis_ds.htm
--
Perposterous!! Where would all the calculators go?!
 
Reply With Quote
 
Richard Deal
Guest
Posts: n/a
 
      11-02-2003
Do the student PCs need to talk to each other?

If not, then set up a private VLAN, where each student port is isolated and
the PIX is connected to a promiscuous port. Then, if a student intentially
or accidentally installs a DHCP server, the only devices that will see this
are the switch and the PIX.

Hope this helps!

Cheers!
--

Richard A. Deal

Visit my home page at http://home.cfl.rr.com/dealgroup/

Author of CCNA Cisco Certified Network Associate Study Guide (Exam 640-801),
Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep,
CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram

Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco
exams on the market.




"Jeremy Whitley" <(E-Mail Removed)> wrote in message
news:9Bxob.33215$(E-Mail Removed). com...
> My company recently took over management of several networks that are at
> off-campus student housing locations for some universities. These
> properties have a PIX firewall that acts as a DHCP server, and the

students
> get access to the network through some 2950 switches.
>
> My problem is this. Occasionally the students will connect a DHCP server

to
> the network, whether intentional or unintentional. That device will then
> serve IP addresses that are not in the correct range. Is there any way

that
> I can block those devices, or configure my switches so that all DHCP
> requests will go only to my PIX?
>
> Thanks in advance.
>
> --
> Jeremy Whitley
>
>
> --
> Jeremy Whitley
>
>
>
>
>



 
Reply With Quote
 
CCIE8122
Guest
Posts: n/a
 
      11-03-2003
> My company recently took over management of several networks that are at
> off-campus student housing locations for some universities. These
> properties have a PIX firewall that acts as a DHCP server, and the students
> get access to the network through some 2950 switches.
>
> My problem is this. Occasionally the students will connect a DHCP server to
> the network, whether intentional or unintentional. That device will then
> serve IP addresses that are not in the correct range. Is there any way that
> I can block those devices, or configure my switches so that all DHCP
> requests will go only to my PIX?
>
> Thanks in advance.


Without a doubt, use private VLANs.

kr

 
Reply With Quote
 
Geert Nijs
Guest
Posts: n/a
 
      11-03-2003
If user ports have to be configured in one VLAN, then use VACLs (VLAN
Control Access Lists) if your software supports it.

mvg,
Geert


"Richard Deal" <(E-Mail Removed)> schreef in bericht
news:kGapb.98004$(E-Mail Removed) om...
> Do the student PCs need to talk to each other?
>
> If not, then set up a private VLAN, where each student port is isolated

and
> the PIX is connected to a promiscuous port. Then, if a student

intentially
> or accidentally installs a DHCP server, the only devices that will see

this
> are the switch and the PIX.
>
> Hope this helps!
>
> Cheers!
> --
>
> Richard A. Deal
>
> Visit my home page at http://home.cfl.rr.com/dealgroup/
>
> Author of CCNA Cisco Certified Network Associate Study Guide (Exam

640-801),
> Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep,
> CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam

Cram
>
> Cisco Test Prep author for QuizWare, providing the most comprehensive

Cisco
> exams on the market.
>
>
>
>
> "Jeremy Whitley" <(E-Mail Removed)> wrote in message
> news:9Bxob.33215$(E-Mail Removed). com...
> > My company recently took over management of several networks that are at
> > off-campus student housing locations for some universities. These
> > properties have a PIX firewall that acts as a DHCP server, and the

> students
> > get access to the network through some 2950 switches.
> >
> > My problem is this. Occasionally the students will connect a DHCP

server
> to
> > the network, whether intentional or unintentional. That device will

then
> > serve IP addresses that are not in the correct range. Is there any way

> that
> > I can block those devices, or configure my switches so that all DHCP
> > requests will go only to my PIX?
> >
> > Thanks in advance.
> >
> > --
> > Jeremy Whitley
> >
> >
> > --
> > Jeremy Whitley
> >
> >
> >
> >
> >

>
>



 
Reply With Quote
 
Jeremy Whitley
Guest
Posts: n/a
 
      11-03-2003
Private VLANS sounds like the way to go on this. Many thanks to all of you
for your suggestions.

--
Jeremy Whitley



"CCIE8122" <(E-Mail Removed)> wrote in message
news:bo47f0$cfq$(E-Mail Removed)...
> > My company recently took over management of several networks that are at
> > off-campus student housing locations for some universities. These
> > properties have a PIX firewall that acts as a DHCP server, and the

students
> > get access to the network through some 2950 switches.
> >
> > My problem is this. Occasionally the students will connect a DHCP

server to
> > the network, whether intentional or unintentional. That device will

then
> > serve IP addresses that are not in the correct range. Is there any way

that
> > I can block those devices, or configure my switches so that all DHCP
> > requests will go only to my PIX?
> >
> > Thanks in advance.

>
> Without a doubt, use private VLANs.
>
> kr
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows 2003 DHCP Server Block the IP or maybe is the router wiyat2000 Software 0 10-06-2009 09:19 AM
Fo:Block can you check to see if a block contains any text by using the block id? morrell XML 1 10-10-2006 07:18 PM
Wireless DHCP clients cannot obtain an IP address from the DHCP se =?Utf-8?B?SGVpbkQ=?= Wireless Networking 0 01-08-2006 03:41 PM



Advertisments