Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to prevent bogus dhcp server from attacking nomal dhcp clients?


How to prevent bogus dhcp server in a same vlan with clients needing dhcp service from legal dhcp server connecting to Catlyst 4506

Without disconnecting Ehternet Line physically.

Please refer to attachment.


Re: How to prevent bogus dhcp server from attacking nomal dhcp c

This will be quite hard to realize when you have a direct layer2 connection between the devices on the segment. Normally, this should not be a problem as the machine is within your administrative domain so you should also be able to contact it's administrator about this.

One solution (the most preferrable one) will be to put the bogus-machine in a different vlan.



New Member

Re: How to prevent bogus dhcp server from attacking nomal dhcp c

If your clients are Windows 2000/XP, and your DHCP server is Windows 2000/2003 Server, you can try to use DHCP ClassID feature. It provides some kind of "DHCP security" in your environment. I personally never tried it in real life, but I remember it from the MCSE materials.

Other of that there is no way to stop bogus DHCP server from issuing IP addresses. As matter of fact, your PCs will get most of their addresses from bogus DHCP server, since it's "closer" to them and will respond quicker.

If you want to be aware if someone brings DHCP server into your network, you can set up a sniffer in your network, and monitor for "out-of-range" IP addresses. Also you can turn on debugging on your router for "arp requests" and see if someone requests any ARP addresses out or your normal range.

Good luck,



Cisco IP Phone Headset Adapters

New Member

Re: How to prevent bogus dhcp server from attacking nomal dhcp c


its posible to defend against this attack with dhcp snooping. but it is only available on a catalyst switch. i see from your figure that the bogusdhcpserver is connected to a hub. but here is the description of dhcp snooping and its commands..

btw you can still configure snooping on the 3550 port(connected to the hub) as "untrusted" to isolate the dhcp attack.

DHCP Snooping is a Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages while untrusted ports can source requests only. Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. This feature can be coupled with DHCP Option 82, where switch information, such as the port ID of the DHCP request, can be inserted into the DHCP request packet.

Untrusted ports are those not explicitly configured as trusted. A DHCP Binding Table is built for untrusted ports. Each entry contains client MAC address, IP address, lease time, binding type, VLAN number and Port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP Snooping perspective, untrusted access ports should not send any DHCP server responses, such as DHCPOffer, DHCPAck, or DHCPNak.


Switch(config)#ip dhcp snooping

-enables DHCP snooping globally

Switch(config-if)#ip dhcp snooping trust

-configures an interface as trusted



New Member

Re: How to prevent bogus dhcp server from attacking nomal dhcp c


I will configure dhcp snooping on Catlyst 3550 if necessary,because that is the environment of my customer's,Thanks a lot.


MinQuant Kuo

CreatePlease login to create content