In network environments, especially those with non-technical users, a common issue occurs when someone accidentally plugs in a consumer-grade router that starts acting as an unauthorized DHCP server. This rogue DHCP server begins handing out incorrect IP addresses, causing network connectivity issues for clients that receive these addresses instead of the legitimate ones from your primary DHCP server.
Most enterprise-grade managed switches (including 3Com 4500 and HP Baseline PWR-Plus series) support a feature called DHCP Snooping. This security feature:
- Filters untrusted DHCP messages
- Builds and maintains a DHCP binding table
- Rate-limits DHCP traffic from untrusted sources
Here's how to configure DHCP Snooping on compatible switches:
# Enable DHCP Snooping globally
system-view
dhcp snooping enable
# Configure the trusted port (where your legitimate DHCP server is connected)
interface GigabitEthernet 1/0/1
dhcp snooping trust
# Optional: Enable DHCP Snooping on VLANs
vlan 10
dhcp snooping enable
# Optional: Enable DHCP packet rate limiting
dhcp snooping check dhcp-rate enable
dhcp snooping dhcp-rate 100
After implementation, verify the settings:
display dhcp snooping
display dhcp snooping binding
Other methods to prevent rogue DHCP servers include:
- Port security (limiting MAC addresses per port)
- 802.1X authentication
- Private VLANs to isolate ports
- DHCP server authorization on Windows Server environments
To maintain a secure DHCP environment:
- Document all legitimate DHCP servers
- Enable logging for DHCP events
- Regularly audit DHCP leases
- Combine DHCP Snooping with ARP inspection for comprehensive protection
If clients stop getting IP addresses after implementation:
- Verify the trusted port configuration matches your DHCP server's location
- Check for error messages in the switch logs
- Test with a known good client to isolate the issue
- Consider temporarily disabling rate limiting if enabled
In enterprise networks, rogue DHCP servers can wreak havoc when users unknowingly connect consumer-grade routers or misconfigured devices. This creates IP address conflicts, incorrect gateway assignments, and network segmentation. The 3COM 4500 and HP Baseline PWR-Plus switches provide enterprise-grade solutions through DHCP snooping.
DHCP snooping acts as a firewall between untrusted hosts and DHCP servers:
# Conceptual DHCP packet flow
[Untrusted Port] ---X---> [Switch] ----> [Trusted DHCP Server]
[Trusted Port] ---------> [Switch] ----> [Trusted DHCP Server]Here's the complete CLI implementation:
# Enable DHCP snooping globally
system-view
dhcp-snooping enable
# Designate port 1 as trusted (where legitimate DHCP server connects)
interface GigabitEthernet 1/0/1
dhcp-snooping trust
quit
# Enable snooping on all other ports (default untrusted)
vlan 10
dhcp-snooping enable
quitFor HP Baseline switches running ProCurve OS:
# Enable DHCP protection
configure
ip dhcp-snooping
# Mark authorized server port
interface 1
ip dhcp-snooping trust
exit
# Optional: Rate limit DHCP requests
ip dhcp-snooping limit rate 100Post-configuration checks are critical:
# 3COM verification
display dhcp-snooping
# HP verification
show ip dhcp-snooping
show ip dhcp-snooping bindingCombine with other security features:
- ARP inspection (prevent ARP poisoning)
- Port security (MAC address limiting)
- 802.1X authentication
Common issues and solutions:
| Symptom | Solution |
|---|---|
| Clients not getting IPs | Verify trusted port configuration |
| Switch CPU spikes | Adjust DHCP rate limiting |
| Partial network access | Check VLAN assignments |