Blake Hudson blake at
Wed Mar 9 18:34:31 UTC 2011

>    The students are prone to plugging in their linksys routers
> backwards, thus handing out DHCP IP's to each other in competition
> with the proper linux server IP's that they are supposed to get.  Yes
> I know vlaning the mess would stop this.
>    The program I have sends a DHCP DISCOVER, so that I can see
> the reponses from the errant student router.  Once I have his
> MAC address from the tcpdump of his response, I can find his port
> on the switch system and lock him out.

I don't know that VLANs would solve the problem, although they may limit
the damage.

Typically, the solution for your problem - which is is also often easier
than implementing vlans and associated routing, client/network
re-configuration, etc - is to use DHCP snooping. DHCP snooping prevents
DHCP offers and aks from all switchports that are not an authorized DHCP
server. Advanced features such as discover or request rate limiting on
client switchports are sometimes thrown in for icing.

Sounds like you have a managed switch, so I would suggest you check into
its DHCP snooping options.

If there are no specific DHCP options, but the switch supports layer3
access lists, you could block source port UDP port 67 and/or destination
port UDP 68 from client switchports, as this would effectively shut down
DHCP offers and acks that originate from these switchports.


More information about the dhcp-users mailing list