How do I defend against bogus DHCP servers at the user side

If a bogus DHCP server is deployed on a customer network, STAs may obtain invalid IP addresses from the bogus DHCP server but not from the AC or authorized DHCP server.

To defend against bogus DHCP servers, disable the DHCP trusted port on an AP in service set view (V200R005 and earlier versions) or VAP profile view (V200R006 and later versions). A DHCP server sends three types of DHCP packets: Offer, ACK, and NACK. When the AP receives any of these DHCP packets from a user-side interface, it considers the packet sender as a bogus DHCP server. The AP then discards the packets and reports the event to the AC over the CAPWAP tunnel.

Scroll to top