Security for the switches

razamrazam Member Posts: 39 ■■□□□□□□□□
Dear All,

Need help in solving one network problem.

I have configured CISCO 2960 switches for some residential buildings. All the switches are directly connected to the core switch cisco 4500.
end users what they are doing is that they are connecting access points/small routers instead of PCs, so they are advertising ip addresses on the network, because of this there is a disruption in internet connectivity of other users.. there is a conflict in ip addresses.

i want all the users to get only the ip addresses from the dhcp pool which i have configued in my core switch, not from the access points / small routers that the end users are connecting.

what can be done to prevent this ? switch port security ? or some other security policy ?

right now the port configuration is

int range fa 0/1 - 48
switchport mode access
switchport access vlan 10
speed 10
duplex full
spanning-tree portfast


  • SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
    why routers are advertised ip addresses to the wan link?
  • razamrazam Member Posts: 39 ■■□□□□□□□□
    this network is meant for residential users so that they can connect their laptops or desktops and get ip address and connect to internet. but end users are connecting access points at the end point so that they can use several devices (smartphones,laptops etc), doing this their access points are also advertising ip addresses to the whole network..

    i want to prevent this..that the devices which end users are connecting, that device should not advertise the ip addresses to other ports of the cisco 2960 switch.. i dont have control over the end devices which users are connecting.
    i can only put security configuration on my cisco 2960 switch.

    is there a way that i can block this ? that if the end user connects an access point and it tries to advertise the ip addresses configured in its dhcp pools, it should not be advertised on my network.
  • SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
  • razamrazam Member Posts: 39 ■■□□□□□□□□
    thank you for the information, i have read the details on this, this is exactly what i want to implement in my network.

    thank you very much
Sign In or Register to comment.