Hi folks! So I’m sure you’ve all run into the issue of having a rogue DHCP server on your network. This can happen just as easily by accident or as a determined attack. How do you avoid this? Well on Cisco switches, you can use something called DHCP Snooping!
DHCP Snooping allows the switch to classify the interfaces as trusted or untrusted. Trusted interfaces allow DHCP traffic and untrusted interfaces drop the packets. This allows us to configure our ports that we know have a DHCP server plugged into them as trusted. All other ports no matter what will be untrusted.
Ideally you would configure all the ports on your access layer switches as untrusted that way if anyone tries to plug in a router or something else that has a built-in dhcp server, it won’t compromise your network.
Also, Cisco switches aren’t the only switches that support DHCP snooping. There are many other switch brands that do support it as well. When you are considering buying a new switch, make sure it has this feature, it’s great for security!
You can read more about configuring it here.