How to Block Unauthorized Terminal Devices like TP-Link TL-WR820N from Network Access (RG-EG3250 Project)

Hello Ruijie Community,

In our current network project, we encountered an issue where someone attached an unauthorized terminal device — specifically a TP-Link TL-WR820N — without proper approval or provisioning. This device started acting as a DHCP server, causing multiple DHCP conflicts and disrupting our network operations.

We are using a Ruijie RG-EG3250 as the project router, along with Ruijie access points and switches.

My questions are:
- How can we automatically detect and block unauthorized devices like this when they are connected?  
- Is there a way to restrict DHCP servers only to our designated servers or enable DHCP Snooping on the RG-EG3250 or through the switches?  
- Can we implement MAC address filtering, port security, or any authentication methods (such as 802.1X or ARP inspection) through Ruijie devices to prevent this kind of unauthorized attachment in the future?

Any advice, best practices, or configuration examples would be highly appreciated!

Thank you!
Jon

Dear,

May I know if you have a switch of ruijie or reyee in this network? If so, you can enable DHCP snooping on the switch and select the port connected to the RG-EG3250 as the trusted port. In this way, packet from unauthorized devices connected to untrusted ports will not be forwarded to users, avoiding the problem of conflicts among multiple DHCP servers.

DHCP Snooping is a security feature designed to enhance network stability and security by monitoring and filtering DHCP packets between clients and servers. It ensures that only authorized DHCP servers can assign IP addresses to devices on the network, preventing issues such as:

• IP Address Conflicts caused by unauthorized DHCP servers (rogue DHCP servers).
• Incorrect IP Assignments, which can lead to network instability or clients being unable to access the internet.
  

Key Functions:

• Filters Invalid DHCP Packets: Ensures only valid DHCP packets from trusted servers are processed.
• Prevents Rogue DHCP Servers: Blocks unauthorized devices from assigning IP addresses.
• Enhances Security: Optionally includes additional information in DHCP requests (e.g., Option 82) for better tracking and control.
  

Best regards,
Micca

GTAC-Micca replied at 2025-4-28 09:47
Dear,

May I know if you have a switch of ruijie or reyee in this network? If so, you can enable DHC ...

Hi Micca,



I’d like to confirm that DHCP Snooping is already enabled across all switches (please refer to the attached screenshot for reference). This has been effective in preventing rogue DHCP server issues.



However, I’d like to take this a step further—is there a way to block non-Ruijie/Reyee devices (as seen in the screenshot) using MAC address filtering? For example:






Whitelist only Ruijie/Reyee MAC addresses on the network.
Block unauthorized MACs (particularly personal routers/APs).
Could you recommend the best approach to implement this? Potential solutions I’m considering include:
1. Port Security – Restrict switch ports to specific allowed MAC addresses.
2. MAC-Based ACLs – Deny traffic from non-approved vendors.
3. DHCP Snooping + DAI (Dynamic ARP Inspection) – Add an extra layer of protection against spoofing.

If there are any recommended CLI commands, configuration guides, or best practices for achieving this on Ruijie switches, I’d greatly appreciate the assistance! I’m happy to test this in our lab environment before deployment.

Thank you in advance for your expertise and support!

Best regards,
Jon