Preventing duplicate DHCP server on network

Any kind of network security is impossible, short of strictly controlling access to the network. If you are allowing people to plug in a random piece of hardware, that hardware happens to be running a DHCP server, and that server thinks it should be handing out addresses, you will have conflicts.

The best solution I can think of with no other changes in your environment is to determine which network port the rogue DHCP server is running on and shut it down. You can do that manually for rare/occasional issues, but there are also Intrusion Prevention Systems that can do this by recognizing that a DHCP reply was sent from an unauthorized MAC address, determine which switch port is associated with that MAC & disabling the port (Cisco has software that can do this, and you can also probably configure Sort to do it with some work).

A better solution is probably to segment your network so each apartment/user gets a vLAN. This avoids one rogue device affecting your entire complex.


By enabling "DHCP Snooping" on a managed switch which supports that feature.