DHCP-Snooping Configuration with Aruba Switch Series 2930, 2530. Skip to main content

DHCP-Snooping Configuration with Aruba Switch Series 2930, 2530.

 

DHCP-Snooping Configuration with Aruba Switch Series 2930, 2530.

DHCP Snooping is a Layer 2 security switch feature which blocks unauthorized (rogue) DHCP servers from distributing IP addresses to DHCP clients also call option 82 of this service.

This lab configuration with Aruba Switch Series 8320, 2930.

We need trusted DHCP server IP address to configure DHCP-snooping on your network.

 

DHCP Starvation attack is a common network attack that targets network DHCP servers. Its primary objective is to flood the organization’s DHCP server with DHCP REQUEST messages using spoofed source MAC addresses. The DHCP server will respond to all requests, not knowing this is a DHCP Starvation attack, and assign available IP addresses until its DHCP pool is depleted.

At this point the attacker has rendered the organization’s DHCP server useless and can now enable his own rogue DHCP server to serve network clients. DHCP Starvation is often accompanied by a Man-in-the-Middle attack as the rogue DHCP server distributes fake IP address parameters, including Gateway & DNS IP address, so that all client traffic passes through the attacker for inspection.

Typical Man-in-the-Middle attack. Client data streams flow through the attacker

Using packet capture and protocol analysis tools the attacker is able to fully reconstruct any data stream captured and export files from it. In fact the process so simple it only requires a basic level of understanding of these type of network tools.

In other cases the Man-in-the-Middle attack can be used as a reconnaissance attack with the objective to obtain information about the network infrastructure, services but also identify hosts of high interest such as financial or database servers.

It should be by now evident how a simple attack can become a major security threat for any organization. The above attacks are examples on how easy hackers can infiltrate the network and get access to valuable information by simply connecting an unauthorized/untrusted device to an available network port effectively bypassing firewalls and other levels of security.


ROGUE DHCP SERVERS – A MAJOR SECURITY THREAT & SOURCE OF NETWORK DISRUPTIONS

Rogue DHCP servers are a common problem within enterprise organizations and are not always directly related with an attack. Rogue DHCP Servers tend to appear out of nowhere thanks to users who connect consumer-grade network devices to the network infrastructure unaware that they have connected an unauthorized device with a rogue DHCP server enabled.

The Rogue DHCP server then begins assigning IP addresses to hosts within the network therefore causing network connectivity problems and in many cases – major service disruptions. In a best case scenario DHCP clients are served with an invalid IP address disconnecting them from the rest of the network. Worst case scenario would be the clients been assigned an IP address used by network infrastructure devices e.g the VLAN interface on the Core switch or a firewall interface, causing serious network disruptions and conflicts.

A rogue DHCP server in action, taking control of DHCP services

While many organizations enforce security policies that do not allow 3rd party or unauthorized devices to be connected to their network, there are still incidents where users who do not understand (or care about) the security implications continue to connect these devices to the network infrastructure without consulting their IT Department.

Educating users and enforcing security policies can be extremely challenging which is why security mechanisms need to be in place to help mitigate these incidents and is where DHCP Snooping comes into the picture.

DHCP SNOOPING SUPPORT FOR Aruba 2930M, 2930F, 2530M, 2530F etc.

DHCP Snooping is available for above switch series like 2930M, 2930F, 2530M, 2530F.

DHCP Snooping is considered a standard security feature and does not require any additional licensing for the older switch series and new IOS operating systems, therefore the feature is available and readily configurable on all switches.

Examples of  Aruba switch series like 2930M, 2930F, 2530M, 2530F

DHCP Snooping can be enabled globally and on a per-VLAN basis. This means you can enable it for all VLANs (globally) or only for specific including VLAN ranges e.g VLANs 1-20 & VLANs 45-50.

HOW DHCP SNOOPING WORKS – DHCP SNOOPING CONCEPTS – TRUSTED, UNTRUSTED PORTS/INTERFACES

DHCP Snooping is a Layer 2 security switch feature which blocks unauthorized (rogue) DHCP servers from distributing IP addresses to DHCP clients. In fact Cisco was the first vendor to implement DHCP Snooping as a security feature in its network switches and other vendors have since then followed with similar features.

Note-It is important to note that DHCP snooping is an access layer protection service. It does not belong in the core network.

The way DHCP Snooping works is fairly straight forward. DHCP Snooping categorizes all switch ports into two simple categories:

·         Trusted Ports

·         Untrusted Ports

Trusted Port, also known as a Trusted Source or Trusted Interface, is a port or source whose DHCP server messages are trusted because it is under the organization’s administrative control. For example, the port to which your organization’s DHCP server connects to consider a Trusted Port. This is also shown in the diagram below:

 


DHCP Snooping Concepts: Trusted and Untrusted Ports

An Untrusted Port, also known as an Untrusted Source or Untrusted Interface, is a port from which DHCP server messages are not trusted. An example on an untrusted port is one where hosts or PCs connect to from which DHCP OFFER, DHCP ACK or DHCPNAK messages should never be seen as these are sent only by DHCP Servers.

How to configure DHCP-Snooping in Aruba Switch?

Answer- We have to configure DHCP-snooping to avoid unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.

Kindly find the below configuration: -

Step1: Aruba-tech-(config)#dhcp-snooping authorized-server 10.20.62.11 # for Trusted DHCP Server.

Step2: Aruba-tech-(config)#dhcp-snooping trust (trunk port)         #Uplink port will be trust port other will be untrust.

Step3: Aruba-tech-(config)#dhcp-snooping vlan _____         #All vlan should be call in this cmd.

Step4: Aruba-tech-(config)#dhcp-snooping                #for enable DHCP-Snooping.

 

 

Comments

Post a Comment

Popular posts from this blog

Aruba Switch 2930 Series NTP (Network Time Protocol) Configuration

Aruba Switch NTP (Network Time Protocol) Configuration NTP (Network Time Protocol) is time management protocol.   NTP (Network Time Protocol) for network time managing we use this in our organization because 100- 1000 devices are running in a network then it’s very difficult to manage time on all devices that’s why we use this mechanism. It uses port no 123 for transport and use UDP services for polling time from server to the devices. NTP uses operate different modes. Supports four different modes. 1-Client 2-Server 3-Peer 4-Broadcast/multicast. NTP (Network Time Protocol) operating modes define the NTP communication between NTP devices. NTP communication between two different devices includes NTP Time requests and NTP control queries. NTP Time request communication is the request from an NTP client for time synchronization from an NTP server. NTP Control queries are the communication messages for configuration information. Following are the importan...
Post a Comment
Read more

How to Prepare for CCNA 200‑301 Exam Step by Step 2026

How to Prepare for CCNA 200‑301 Exam Step by Step Preparation is key to success. Here’s a step-by-step approach to how to prepare for the CCNA 200‑301 exam step by step : Understand the Exam Topics: Familiarize yourself with networking fundamentals, IP addressing, routing, switching, and security concepts. Cisco provides a detailed exam outline. Use a Structured Study Plan: Divide your study time into manageable chunks focusing on one topic at a time. Practice with Labs: Set up virtual labs using Packet Tracer or GNS3 to apply concepts practically. Hands-on experience is critical. Take Practice Tests: Regularly test yourself to identify weak areas and track your progress. CCNA Beginner Guide for Network Fundamentals 2026 Starting your  CCNA journey  can feel overwhelming, but with the right approach, you can master the basics and prepare for the exam confidently. This  CCNA beginner guide for network fundamentals  will help you understand the essential concepts, set ...
Post a Comment
Read more