Block a DHCP server

Discussion in 'Cisco' started by Jeremy Whitley, Oct 31, 2003.

  1. My company recently took over management of several networks that are at
    off-campus student housing locations for some universities. These
    properties have a PIX firewall that acts as a DHCP server, and the students
    get access to the network through some 2950 switches.

    My problem is this. Occasionally the students will connect a DHCP server to
    the network, whether intentional or unintentional. That device will then
    serve IP addresses that are not in the correct range. Is there any way that
    I can block those devices, or configure my switches so that all DHCP
    requests will go only to my PIX?

    Thanks in advance.

    --
    Jeremy Whitley


    --
    Jeremy Whitley
    Jeremy Whitley, Oct 31, 2003
    #1
    1. Advertising

  2. Jeremy Whitley

    John Smith Guest

    Hmm, this one could be a challenge.

    Use DHCP reservations with long lease times?
    Post enforceable policies on your usage information web sites.
    You could automate the discovery of the rouge DHCP server PCs then disconnect
    them from your network.
    You could VLAN each port and give them a unique TCP/IP subnet, then control the
    forwarding of DHCP requests to servers you manage. This may not be possible if
    you lots of clients or limitations on the number of VLANs or routes segments
    supported on your switch. Not to mention dramatically increase the number of
    scopes you manage.






    "Jeremy Whitley" <> wrote in message
    news:9Bxob.33215$...
    > My company recently took over management of several networks that are at
    > off-campus student housing locations for some universities. These
    > properties have a PIX firewall that acts as a DHCP server, and the students
    > get access to the network through some 2950 switches.
    >
    > My problem is this. Occasionally the students will connect a DHCP server to
    > the network, whether intentional or unintentional. That device will then
    > serve IP addresses that are not in the correct range. Is there any way that
    > I can block those devices, or configure my switches so that all DHCP
    > requests will go only to my PIX?
    >
    > Thanks in advance.
    >
    > --
    > Jeremy Whitley
    >
    >
    > --
    > Jeremy Whitley
    >
    >
    >
    >
    John Smith, Oct 31, 2003
    #2
    1. Advertising

  3. In article <9Bxob.33215$>,
    Jeremy Whitley <> wrote:
    :My company recently took over management of several networks that are at
    :eek:ff-campus student housing locations for some universities. These
    :properties have a PIX firewall that acts as a DHCP server, and the students
    :get access to the network through some 2950 switches.

    :My problem is this. Occasionally the students will connect a DHCP server to
    :the network, whether intentional or unintentional. That device will then
    :serve IP addresses that are not in the correct range. Is there any way that
    :I can block those devices, or configure my switches so that all DHCP
    :requests will go only to my PIX?

    If your 2950 have EI, then you can set up an ACL on the ports.
    You have to be a bit careful, though, in that DHCP is a subset of
    the bootp protocol, so if the hosts have legitimate use of bootp
    then distinguishing could be tricky. bootp has uses for remote
    booting, such as of "diskless" stations, or of remotely obtaining
    installation tools [e.g., for installing SGI's IRIX from a remote
    system.] You might be able to get away with just not allowing those
    uses, perhaps.

    http://www.cisco.com/en/US/products...ommand_reference_chapter09186a0080150b7b.html

    The models that have EI software are the 2950G series, 2950C series,
    and the 2950T-24 . In particular, the 2950T-48 does NOT have EI,
    and the models with no letters or with SX do not have it either.
    The models that have SI (Standard Image) CANNOT be upgraded to EI.

    http://www.cisco.com/warp/public/cc/pd/si/casi/ca2950/prodlit/sssis_ds.htm

    http://www.cisco.com/warp/public/cc/pd/si/casi/ca2950/prodlit/sseis_ds.htm
    --
    Perposterous!! Where would all the calculators go?!
    Walter Roberson, Oct 31, 2003
    #3
  4. Jeremy Whitley

    Richard Deal Guest

    Do the student PCs need to talk to each other?

    If not, then set up a private VLAN, where each student port is isolated and
    the PIX is connected to a promiscuous port. Then, if a student intentially
    or accidentally installs a DHCP server, the only devices that will see this
    are the switch and the PIX.

    Hope this helps!

    Cheers!
    --

    Richard A. Deal

    Visit my home page at http://home.cfl.rr.com/dealgroup/

    Author of CCNA Cisco Certified Network Associate Study Guide (Exam 640-801),
    Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep,
    CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram

    Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco
    exams on the market.




    "Jeremy Whitley" <> wrote in message
    news:9Bxob.33215$...
    > My company recently took over management of several networks that are at
    > off-campus student housing locations for some universities. These
    > properties have a PIX firewall that acts as a DHCP server, and the

    students
    > get access to the network through some 2950 switches.
    >
    > My problem is this. Occasionally the students will connect a DHCP server

    to
    > the network, whether intentional or unintentional. That device will then
    > serve IP addresses that are not in the correct range. Is there any way

    that
    > I can block those devices, or configure my switches so that all DHCP
    > requests will go only to my PIX?
    >
    > Thanks in advance.
    >
    > --
    > Jeremy Whitley
    >
    >
    > --
    > Jeremy Whitley
    >
    >
    >
    >
    >
    Richard Deal, Nov 2, 2003
    #4
  5. Jeremy Whitley

    CCIE8122 Guest

    > My company recently took over management of several networks that are at
    > off-campus student housing locations for some universities. These
    > properties have a PIX firewall that acts as a DHCP server, and the students
    > get access to the network through some 2950 switches.
    >
    > My problem is this. Occasionally the students will connect a DHCP server to
    > the network, whether intentional or unintentional. That device will then
    > serve IP addresses that are not in the correct range. Is there any way that
    > I can block those devices, or configure my switches so that all DHCP
    > requests will go only to my PIX?
    >
    > Thanks in advance.


    Without a doubt, use private VLANs.

    kr
    CCIE8122, Nov 3, 2003
    #5
  6. Jeremy Whitley

    Geert Nijs Guest

    If user ports have to be configured in one VLAN, then use VACLs (VLAN
    Control Access Lists) if your software supports it.

    mvg,
    Geert


    "Richard Deal" <> schreef in bericht
    news:kGapb.98004$...
    > Do the student PCs need to talk to each other?
    >
    > If not, then set up a private VLAN, where each student port is isolated

    and
    > the PIX is connected to a promiscuous port. Then, if a student

    intentially
    > or accidentally installs a DHCP server, the only devices that will see

    this
    > are the switch and the PIX.
    >
    > Hope this helps!
    >
    > Cheers!
    > --
    >
    > Richard A. Deal
    >
    > Visit my home page at http://home.cfl.rr.com/dealgroup/
    >
    > Author of CCNA Cisco Certified Network Associate Study Guide (Exam

    640-801),
    > Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep,
    > CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam

    Cram
    >
    > Cisco Test Prep author for QuizWare, providing the most comprehensive

    Cisco
    > exams on the market.
    >
    >
    >
    >
    > "Jeremy Whitley" <> wrote in message
    > news:9Bxob.33215$...
    > > My company recently took over management of several networks that are at
    > > off-campus student housing locations for some universities. These
    > > properties have a PIX firewall that acts as a DHCP server, and the

    > students
    > > get access to the network through some 2950 switches.
    > >
    > > My problem is this. Occasionally the students will connect a DHCP

    server
    > to
    > > the network, whether intentional or unintentional. That device will

    then
    > > serve IP addresses that are not in the correct range. Is there any way

    > that
    > > I can block those devices, or configure my switches so that all DHCP
    > > requests will go only to my PIX?
    > >
    > > Thanks in advance.
    > >
    > > --
    > > Jeremy Whitley
    > >
    > >
    > > --
    > > Jeremy Whitley
    > >
    > >
    > >
    > >
    > >

    >
    >
    Geert Nijs, Nov 3, 2003
    #6
  7. Private VLANS sounds like the way to go on this. Many thanks to all of you
    for your suggestions.

    --
    Jeremy Whitley



    "CCIE8122" <> wrote in message
    news:bo47f0$cfq$...
    > > My company recently took over management of several networks that are at
    > > off-campus student housing locations for some universities. These
    > > properties have a PIX firewall that acts as a DHCP server, and the

    students
    > > get access to the network through some 2950 switches.
    > >
    > > My problem is this. Occasionally the students will connect a DHCP

    server to
    > > the network, whether intentional or unintentional. That device will

    then
    > > serve IP addresses that are not in the correct range. Is there any way

    that
    > > I can block those devices, or configure my switches so that all DHCP
    > > requests will go only to my PIX?
    > >
    > > Thanks in advance.

    >
    > Without a doubt, use private VLANs.
    >
    > kr
    >
    Jeremy Whitley, Nov 3, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron Taylor

    Block DHCP on Cisco Interface?

    Aaron Taylor, Apr 26, 2004, in forum: Cisco
    Replies:
    2
    Views:
    2,808
    Aaron Taylor
    Apr 26, 2004
  2. Faustino Dina
    Replies:
    4
    Views:
    9,684
    Faustino Dina
    Sep 29, 2004
  3. Mister C

    Do I block access from svchost to DHCP?

    Mister C, Jun 14, 2005, in forum: Computer Security
    Replies:
    29
    Views:
    4,903
    Michael J. Pelletier
    Jun 17, 2005
  4. Replies:
    3
    Views:
    6,350
    Trendkill
    Apr 15, 2008
  5. wiyat2000
    Replies:
    0
    Views:
    1,679
    wiyat2000
    Oct 6, 2009
Loading...

Share This Page