Preventing duplicate DHCP server on network

Question

How can I prevent a duplicate DHCP server on a network from interfering? Is it possible?

I am not asking for any actual scenario that is happening, just curiosity. In my apartment complex there is a network and internet provided, someone caused problems with the entire network because they plugged in their wireless router which had a DHCP server enabled.

How would you prevent such conflicts / problems on a network, or it is impossible short of firewalling and controling the machines on your network?

score 6 · Accepted Answer · answered Jun 02 '11 at 16:34

Any kind of network security is impossible, short of strictly controlling access to the network. If you are allowing people to plug in a random piece of hardware, that hardware happens to be running a DHCP server, and that server thinks it should be handing out addresses, you will have conflicts.

The best solution I can think of with no other changes in your environment is to determine which network port the rogue DHCP server is running on and shut it down. You can do that manually for rare/occasional issues, but there are also Intrusion Prevention Systems that can do this by recognizing that a DHCP reply was sent from an unauthorized MAC address, determine which switch port is associated with that MAC & disabling the port (Cisco has software that can do this, and you can also probably configure Sort to do it with some work).

A better solution is probably to segment your network so each apartment/user gets a vLAN. This avoids one rogue device affecting your entire complex.

score 2 · Answer 2 · answered Jun 02 '11 at 16:33

2

By enabling "DHCP Snooping" on a managed switch which supports that feature.

answered Jun 02 '11 at 16:33

user48838

7,419

score 0 · Answer 3 · answered Jun 02 '11 at 16:31

When your computer needs DHCP support it broadcasts a DHCP request message on the local network. If there are more than one DHCP server on the network segment, the first DHCP server that responds will be the DHCP server that provides the necessary information to your computer.

score 0 · Answer 4 · answered Jun 03 '11 at 00:32

There is another potential option, which would be to deny only the DHCP responses inbound from all physical ports except for the port connected to the valid server - UDP destination port 68 (pretty sure, 67/68 are bootps/bootpc).

This way, you don't prevent clients from requesting addresses, but you prevent anything not connected to your allowed ports from responding. You'd want this only at the edge of the network, direct access ports etc.

Preventing duplicate DHCP server on network

4 Answers4