How to Block Rogue DHCP Server's on Cisco Equipment Using ACL's?

The CORE RING our our fiber optic network has an IP of 10.150.1.1 in that ring is several dorm buildings. Each building has an address in the ring address range subnet. ie Dorm 2 has 10.23.1.1 this buildings CORE address is setup in a layer 3 cisco 3560. Routes for all traffic go to 10.150.1.1. Our DHCP server in... show more The CORE RING our our fiber optic network has an IP of 10.150.1.1 in that ring is several dorm buildings. Each building has an address in the ring address range subnet. ie Dorm 2 has 10.23.1.1 this buildings CORE address is setup in a layer 3 cisco 3560. Routes for all traffic go to 10.150.1.1. Our DHCP server in in another building with an address of 10.50.1.200.

the CORE Layer 3 in Dorm 2 has a VLAN 2 setup with ip 10.32.1.1

from there there the second set of Gig fiber ports 1&2 are ring in and ring out. ports 3 & 4 are ring in and ring out from the first and sixth floors. all other floors jump from floor to floor connecting 2950's Layer 2.

so we have Layer 3 3560 port 1 ring in port 2 ring out port 3 to floor 2 2950 floor 2 to 3 to 4 to 5 to 6 and floor six's 2950 goes back to floor 1's 3560 completing the ring.

All the 2950 switches use ip-helper address of 10.50.1.200

in the 3560 and all 2950 switches we have:

ip access-list extended block_students
deny tcp any any eq 135
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
deny tcp any any eq 139
deny tcp any any eq 445
deny tcp any any eq telnet
permit ip any any

On only the FastEthernet ports we have:
ip access_group block_students in

I have been reading on blocking eq 67 and 68 bootpc and bootps

I only want to block servers from coming from the FastEthernet ports.

What i would like to do without using dchp snooping is add an acl to block just one of the protocols either 67 or 68 coming from the FastEthernet ports. It isnt clear from anything i have read which is which because it depends on which was your coming in from. Could i make another acl and add a second rule on the FastEthernet ports such as the following and if so which would i do 67 or 68?

ip access-list extended block_dhcp
deny udp any any eq bootpc

or

ip access-list extended block_dhcp
deny udp any any eq bootps

and on the FastEthernet ports
do ip access-group black_dhcp out?
Update: Well what happens is we get new students in every semester and nonavoidable some student connects a WAP into the port in their room but connects the cable into the lan side instead of the wan side. next thing you know students are calling in that their internet is not working, we investigate and they have private... show more Well what happens is we get new students in every semester and nonavoidable some student connects a WAP into the port in their room but connects the cable into the lan side instead of the wan side. next thing you know students are calling in that their internet is not working, we investigate and they have private addresses from linksys and the like routers vs our 10. scheme. so obviously it is not working. I really just wanted to add a line into the current acl so there was only one acl. i may just create a second and apply it to one port to test. in our panel we only use about 32 of the 48 ports on each floor so i could safely tests a few to see if i receive an ip or not and plug a wap in backwards to see if the floor goes down or not.
2 answers 2