Business Community > Switches > How can i stop DHCP being served to a group of ports on one particular switch on a particular vlan?
< Switches

How can i stop DHCP being served to a group of ports on one particular switch on a particular vlan?

How can i stop DHCP being served to a group of ports on one particular switch on a particular vlan?

How can i stop DHCP being served to a group of ports on one particular switch on a particular vlan?
How can i stop DHCP being served to a group of ports on one particular switch on a particular vlan?
2025-01-24 12:23:56

I have need to prevent devices with a specific VLAN tag from receiving DHCP on a group of ports on one particular switch - they instead must be set as statics.  I want to force this so the users must set a static on the device before it can work rather than relying on DHCP.  I need DHCP to continue to serve all the rest of the network as normal for that VLAN. 

 

Things I have tried:

 

Switch ACL to prevent "Network - Tech" > DHCP Server IP Ports 67-68 UDP applied to only that group of switch ports specifically

Switch ACL to prevent DHCP Server IP Ports 67-68 UDP > "Network - Tech" applied to only that group of switch ports specifically (reverse of above)

 

Switch ACL to prevent UDP Ports 67-68 > IPgroup_Any applied to only those ports

Switch ACL to prevent IPgroup_Any > UDP Ports 67-68 applied to only those ports (reverse of above)

 

I have tried the above 4 ACLs using the DHCP servers source switch port instead

 

I have tried using the DHCP servers MAC address in a MAC group, and used ACLs in both directions to and from it.

 

I still, always get DHCP served on those ports!

 

WHY ?????

 

The only way i can seem to block DHCP is a blanket UDP 67-68 > IP_Group_Any applied to all switch ports across entire network.

 

Can anyone assist?

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x1, ES205G x2, EAP650 x6 Remotes: ER605 v2 x3, SG2008P x2, EAP650 x2 VPN Server: ER7206 v2 Controller: OC300
  0      
 
  0      
 
#1
Options
4 Reply
Re:How can i stop DHCP being served to a group of ports on one particular switch on a particular vlan?
2025-01-26 08:33:13

Hi @GRL 

Thanks for posting in our business forum.

Prevent the GW IP instead of any. Block the GW IP(DHCP server IP) in that broadcast range.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced. ● I don't provide ETA for any products/features. No comment.
  0  
  0  
#2
Options
Re:How can i stop DHCP being served to a group of ports on one particular switch on a particular vlan?
2025-01-26 08:38:36

  @Clive_A 

 

I have tried that

 

ACL

Block UDP 67-68 <> GW IP. those switch ports only

 

DHCP still passes!

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x1, ES205G x2, EAP650 x6 Remotes: ER605 v2 x3, SG2008P x2, EAP650 x2 VPN Server: ER7206 v2 Controller: OC300
  0  
  0  
#3
Options
Re:How can i stop DHCP being served to a group of ports on one particular switch on a particular vlan?
2025-01-26 08:46:32

Hi @GRL 

Thanks for posting in our business forum.

GRL wrote

  @Clive_A 

 

I have tried that

 

ACL

Block UDP 67-68 <> GW IP. those switch ports only

 

DHCP still passes!

DHCP IP still got assigned to them the clients?

Rule 1 IP-Port subnet of this VLAN, port UDP 67 68

Rule 2 GW IP to VLAN, port 66 67. The GW IP means the IP in that VLAN. Not the default VLAN 192.168.0.1, for example.

VLAN 10.0.0.0/24, IP is 10.0.0.1/24 if you configure it.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced. ● I don't provide ETA for any products/features. No comment.
  1  
  1  
#4
Options
Re:How can i stop DHCP being served to a group of ports on one particular switch on a particular vlan?
2025-01-26 08:50:33

  @GRL 

 

Yes this is exatly what i tried

 

VLAN 6 (not management

GW IP 192.168.6.254

 

Switch ACL

 

192.168.6.0/24 UDP port 67-68  ..........  192.168.6.254 UDP port 67-68     Applied to Switch 3 ports 1-8 only

 

I tried it the other way around as well, and also as one and the reverse in a seperate acl

 

DHCP always passed.

 

DHCP doesnt pass if i apply the rule to all switch ports.  It only not works if i apply to a selection of ports on any particular switch.

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x1, ES205G x2, EAP650 x6 Remotes: ER605 v2 x3, SG2008P x2, EAP650 x2 VPN Server: ER7206 v2 Controller: OC300
  0  
  0  
#5
Options

Information

Helpful: 0

Views: 276

Replies: 4

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.