Preventing duplicate DHCP server on network

networking dhcp duplicity

Any kind of network security is impossible, short of strictly controlling access to the network. If you are allowing people to plug in a random piece of hardware, that hardware happens to be running a DHCP server, and that server thinks it should be handing out addresses, you will have conflicts.

The best solution I can think of with no other changes in your environment is to determine which network port the rogue DHCP server is running on and shut it down. You can do that manually for rare/occasional issues, but there are also Intrusion Prevention Systems that can do this by recognizing that a DHCP reply was sent from an unauthorized MAC address, determine which switch port is associated with that MAC & disabling the port (Cisco has software that can do this, and you can also probably configure Sort to do it with some work).

A better solution is probably to segment your network so each apartment/user gets a vLAN. This avoids one rogue device affecting your entire complex.


By enabling "DHCP Snooping" on a managed switch which supports that feature.

Related

How brittle are fiber cables?
Nginx + php-fpm VS Nginx as a reverse proxy for Apache
How to reproduce http traffic of a real site in another environment (e.g. VM)
The benefits of using statsd?
Control SSL Cipher Priority/Order for Tomcat to avoid BEAST attack
System Claims to be Rebooting without Shutdown Running
What are some ways to prevent user cron jobs from crushing the servers?
How to call a puppet filetemplate twice with different parameters without using define?
Run application as root without sudo
How to start a rake task using upstart
Is there a way to control two instantiated systemd services as a single unit?
Installing IIS on Win Server 2003 without the installation CD?