Prevent Rogue DHCP Servers

Have you ever had a user or someone in your own IT department plug a switch/router into an available port on the wall? Then the helpdesk phone starts blowing up because users can’t connect to the internet or other resources.

Rogue DHCP servers are a headache. In addition, they can be a security risk and used for various attacks.

The best way to block rogue DHCP servers is at the network switch. This can be done with an option called DHCP snooping or 802.1x port based network access.

DHCP Snooping

DHCP snooping is a layer 2 switch feature that blocks unauthorized (rogue) DHCP servers from dishing out IP addresses to devices.

DHCP works by categorizing switchports as either trusted or untrusted ports. A trusted port allows DHCP messages an untrusted port blocks DHCP messages.

You want your devices (computers, printers, phones) on an untrusted port so a rogue DHCP server cannot be plugged in.

802.1x port based network access

802.1x is an IEEE standard for port based network access control. It is a mechanism that can require devices to authenticate before providing them network access.

It’s not only good for rogue DHCP servers but for controlling network access to anything.

802.1x is typically configured at the switch level and requires a client and authentication server.