backwards router issue

[xaxx]

Hi,

We run the network on a student residence. We are using 8600 for routing and Baystack 470 at the access layer. Each student room has a network jack that goes back to a port on the 470 stacks in the IT closets. We run DHCP on these networks.
Here is where we are having a problem. Students move in and hook up their home router to the network jack in the room. For the most part this is not a problem, except that there are always students that end up hooking up the LAN port of their home router to the network jack. Causing their router to start advertising itself on our network, and other students computers start getting their dhcp leases from the culprit home router instead of our dhcp server. Needless to say no one is doing any surfing as the WAN port of the culprit router is connected to the problem students PC.
Using wire shark we can sniff the traffic find the problem user and shut down his port and the other students start getting their addresses from our server again.
Is there something we can do to prevent this from happening? Ideas are very welcome.

Thank you.

 

[VinceWhirlwind]

Yes, this is what DHCP snooping is for.

I think you only need to put it on the Access switches. Hopefully the Baystack 470s support this.

Here is what it looks like on 4500/5500 config:

! *** DHCP SNOOPING ***
!
ip dhcp-snooping
no ip dhcp-snooping vlan
ip dhcp-snooping vlan 22
ip dhcp-snooping vlan 32
interface FastEthernet ALL
default ip dhcp-snooping
ip dhcp-snooping port 1/48,2/48 trusted
exit

Pretty self-explanatory - you enable DHCP snooping on all the ports, then identify your uplinks as "Trusted".

I recently had an issue on some switches with the DHCP-forwarding modifying the DHCP request and this was causing Snooping to drop them. So if it doesn't work, look and see in the logs what it is doing.