Hey, guys. First post and newly-minted network engineer in higher ed here. I was very recently promoted into this position and inherited some issues that I'd like to resolve.
We have some old 3500-series switches (no DHCP snooping feature) still servicing a couple of our campus dorms, with another Cisco device acting as the DHCP, upstream. Each building has its own VLAN and all dorm networks are under a single "Dorm" VTP domain. For Wi-Fi access in the rooms, it's a BYOD policy, with students plugging in their home Wi-Fi access devices, then our equipment taking care of DHCP and DNS.
Now, the guy before me had this issues, for years, of these things being plugged into these Cisco 3500-serviced buildings and all of a sudden we've got a dozen DHCP servers answering and resolving DHCP Request broadcasts, which would result in a whole bunch of people not NAT'ing out properly, thus no internet access, thus assuming the network is down in the building half the time. This obviously leads to complaints. Many of them. I've been aggressively Wiresharking these VLANs for the DHCP offers and disabling those ports, then trying to follow-up with the user, but this is such an unbelievable time suck and only a band-aid for the problem. I've also been telling anyone who will listen to me to tell these students to change their Wi-Fi access devices to access-point mode, which will stop them from DHCP'ing. It's an uphill battle I'll never win.
We're already trying to lobby for better equipment (believe me, it's been asked for, for a very long time), but is there another solution on these 3500s I should be looking into, for the immediate future, that I'm not thinking of?
Any advice would be greatly appreciated. I'm running out of hair to pull out.
No comments:
Post a Comment