How to prevent other unwanted DHCP servers


I have a network with a DHCP server and RADIUS authentication.

Clients connect to my network, get a DHCP address, enter the signing in page, input their prepaid cards, and get to the Internet.

We sometimes see some clients (was once malicious) connect a router to one of my Access Points and they don't disable DHCP functionality on that router… The entire network falls apart, until we disconnect that actor or re-configure his router correctly to disable DHCP, and allow that router to take a DHCP lease from the main DHCP server we control.

So How do I force my network to only honor the DHCP server I control?

In fact, the whole problem I see now is a packet loop. I'm assuming it's someone who's connected a wrongly configured router with DHCP enabled. So I'm trying to disallow anyone from assuming DHCP role.

DHCP Server is at (RouterBoard device)

Network Diagram

Best Answer

You can't prevent someone from activating DHCP, but you can set up your RouterBoard with 'Rogue DHCP Detection', and either alert you when that occurs, or (with additional scripting / automation) programmatically block their switch port or Wifi access.

On your DHCP server, the alert would look like:

00:34:23 dhcp,critical,error,warning,info,debug dhcp alert on Public:
    discovered unknown dhcp server, mac 00:02:29:60:36:E7, ip

See for more details.

Related Topic