Solved: Re: Block a Single IP address

angel-moon · ‎10-23-2013

Hello everyone,

I seem to have a rogue DHCP server on the network and have not been able to locate it. The switch shows it connected to switchport Po1, which I believe is the EtherChannel. can someone send me the commends or a link to blocking a single IP address from network access? router or switch level is fine. Thanks in advance!

all replies rated'\\\

mvsheik123 · ‎10-23-2013

Hello,

Try ths on the router interface/vlan interface.

!

ip access-list 100 deny udp any any eq 68 --> If i remember correct, server uses udp/68 to comunicate with clients

ip access-list 100 permit ip any any

!

int vlanx (where the rogue dhcp server located)

ip access-group 100 in

!

Thx

MS

Edit: if you know the IP address of rogue server, you can as well use host IP instead of 'any'.

Also, Cisco's recomendation is to use 'dhcp snooping'. Check cisco docs for more explanation.

View solution in original post

mvsheik123 · ‎10-23-2013

Hello,

Try ths on the router interface/vlan interface.

!

ip access-list 100 deny udp any any eq 68 --> If i remember correct, server uses udp/68 to comunicate with clients

ip access-list 100 permit ip any any

!

int vlanx (where the rogue dhcp server located)

ip access-group 100 in

!

Thx

MS

Edit: if you know the IP address of rogue server, you can as well use host IP instead of 'any'.

Also, Cisco's recomendation is to use 'dhcp snooping'. Check cisco docs for more explanation.

angel-moon · ‎10-24-2013

Thanks!

Block a Single IP address

事象：ASDM Unable to launch device manager from <IP address>

Configuring IP Helper-Address to issue IP address from DHCP Server

Nexus Dashboard: ip address / ip neigh コマンドについて

DNAC: IP Access Control の無効化("Allow all IP address to connect")手順

Catalyst 1000 にて Single IP Management 機能を利用する際の注意点