The musings of an IT Consultant

Aug 31 2009   4:28PM GMT

DHCP security on Cisco switches

Raj Perumal Raj Perumal Profile: Raj Perumal

Hi folks! So I’m sure you’ve all run into the issue of having a rogue DHCP server on your network. This can happen just as easily by accident or as a determined attack.  How do you avoid this? Well on Cisco switches, you can use something called DHCP Snooping!

DHCP Snooping allows the switch to classify the interfaces as trusted or untrusted. Trusted interfaces allow DHCP traffic and untrusted interfaces drop the packets. This allows us to configure our ports that we know have a DHCP server plugged into them as trusted. All other ports no matter what will be untrusted.

Ideally you would configure all the ports on your access layer switches as untrusted that way if anyone tries to plug in a router or something else that has a built-in dhcp server, it won’t compromise your network.

Also, Cisco switches aren’t the only switches that support DHCP snooping. There are many other switch brands that do support it as well. When you are considering buying a new switch, make sure it has this feature, it’s great for security!

You can read more about configuring it here.


 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: