Overview

163

23

DHCP Filtering

This section describes the Dynamic Host Configuration Protocol (DHCP) Filtering feature.

Overview

DHCP filtering provides security by filtering untrusted DHCP messages. An untrusted 
message is a message that is received from outside the network or firewall, and that can cause 
traffic attacks within network.

You can use DHCP Filtering as a security measure against unauthorized DHCP servers. A 
known attack can occur when an unauthorized DHCP server responds to a client that is 
requesting an IP address. The unauthorized server can configure the gateway for the client to 
be equal to the IP address of the server. At that point, the client sends all of its IP traffic 
destined to other networks to the unauthorized machine, giving the attacker the possibility of 
filtering traffic for passwords or employing a ‘man-in-the-middle’ attack. 

DHCP filtering works by allowing the administrator to configure each port as a trusted or 
untrusted port. The port that has the authorized DHCP server should be configured as a trusted 
port. Any DHCP responses received on a trusted port will be forwarded. All other ports should 
be configured as untrusted. Any DHCP (or BootP) responses received on the ingress side will 
be discarded.

Limitations

•

Port Channels (LAGs) — If an interface becomes a member of a LAG, DHCP filtering is 
no longer operationally enabled on the interface. Instead, the interface follows the config-
uration of the LAG port. End user configuration for the interface remains unchanged. 
When an interface is no longer a member of a LAG, the current end user configuration for 
that interface automatically becomes effective.

•

Mirroring — If an interface becomes a probe port, DHCP filtering can no longer become 
operationally enabled on the interface. End user configuration for the interface remains 
unchanged. When an interface no longer acts as a probe port, the current end user configu-
ration for that interface automatically becomes effective.