How to protect Nebula switches against rogue DHCP servers?

Options
Zyxel_Adam
Zyxel_Adam Posts: 430  Zyxel Employee
Zyxel Certified Network Administrator - Nebula 25 Answers First Comment Friend Collector
edited May 28 in Network Security

In order to enhance the security of your network switches, Zyxel offers two ways of protecting a network which are DHCP Server Guard and IP Source Guard features on Nebula. These features protect your switches against untrusted DHCP servers, ensuring a safer and more reliable network environment. This guide will walk you through the steps to enable DHCP Server Guard or IP Source Guard on your Zyxel switches.

Topology and Scenario:

image.png


The DHCP Server Guard and IP Source Guard features are applicable to various network scenarios where network switches are deployed. Whether it's a small office, a campus network, or an enterprise environment, these features provide an added layer of protection against potential security threats. By enabling DHCP Server Guard or IP Source Guard, you can mitigate the risks associated with unauthorized DHCP servers and prevent IP address spoofing attacks.

Steps:
To enable DHCP Server Guard or IP Source Guard on your Zyxel switches, follow these steps:

  • Access to the Nebula Control Center.
  • Once logged in, navigate to the Configure > Switches > Switch settings.
image.png

[DHCP Server Guard]

  • Scroll down to the DHCP Server Guard setting and enable it.
    image.png
  • Save the changes to apply the configuration by clicking save button.

[IP Source Guard ] Pro Pack license required

Nebula IP Source Guard consists of the following two features, which are enabled together when IP Source Guard is enabled:

  1. DHCP snooping. Use this to filter unauthorized DHCP server packets on the network and to build a binding table dynamically.
  2. ARP inspection. Use this to filter unauthorized ARP packets on the network.

  • Scroll down to the IP Source Guard setting and enable it, keep the trusted DHCP server out of 'Protected ports', and configure untrusted ports and the rest ports to it. (This example only configured untrusted ports to Protected ports.)
image.png

Please note:

If your DHCP-enabled device was already connected to the switch before IP Source Guard was enabled, please make sure to renew the device’s DHCP lease so that the switch can correctly build the DHCP-snooping entry.

image.png image.png
  • Save the changes to apply the configuration by clicking save button.

Verification and Noted:

To verify that DHCP Server Guard or IP Source Guard is properly enabled and functioning on your switches, follow these steps:

  1. Connect an end device to one of the network ports on the switch.
  2. Check the device's network settings to ensure it receives a valid IP address from a trusted DHCP server.
  3. Attempt to connect a device acting as an unauthorized DHCP server to the network.
  4. Verify that the switch detects the unauthorized DHCP server and blocks its operation.
  5. Test network connectivity to ensure that only authorized IP sources are able to communicate.

Note: Enabling DHCP Server Guard or IP Source Guard may impact network connectivity if the necessary configurations are not properly set up. Ensure that you have correctly configured the trusted DHCP servers or authorized IP sources to avoid any disruption in network services.

By following these steps and enabling DHCP Server Guard or IP Source Guard on your Zyxel Nebula switches, you can enhance the security of your network and protect against potential threats.

Adam