How to protect Nebula switches against rogue DHCP servers?

Zyxel_Adam
Zyxel_Adam Posts: 430  Zyxel Employee
Zyxel Certified Network Administrator - Nebula 25 Answers First Comment Friend Collector
edited June 2023 in Network Security

In order to enhance the security of your network switches, Zyxel offers two ways of protecting a network which are DHCP Server Guard and IP Source Guard features on Nebula. These features protect your switches against untrusted DHCP servers, ensuring a safer and more reliable network environment. This guide will walk you through the steps to enable DHCP Server Guard or IP Source Guard on your Zyxel switches.

Topology and Scenario:


The DHCP Server Guard and IP Source Guard features are applicable to various network scenarios where network switches are deployed. Whether it's a small office, a campus network, or an enterprise environment, these features provide an added layer of protection against potential security threats. By enabling DHCP Server Guard or IP Source Guard, you can mitigate the risks associated with unauthorized DHCP servers and prevent IP address spoofing attacks.

Steps:
To enable DHCP Server Guard or IP Source Guard on your Zyxel switches, follow these steps:

  • Access to the Nebula Control Center.
  • Once logged in, navigate to the Configure > Switches > Switch settings.

[DHCP Server Guard]

  • Scroll down to the DHCP Server Guard setting and enable it.
  • Save the changes to apply the configuration by clicking save button.

[IP Source Guard - DHCP Snooping] Pro Pack license required

  • Scroll down to the IP Source Guard setting and enable it, keep the trusted DHCP server out of 'Protected ports', and configure untrusted ports and the rest ports to it. (This example only configured untrusted ports to Protected ports.)
  • Save the changes to apply the configuration by clicking save button.

Verification and Noted:

To verify that DHCP Server Guard or IP Source Guard is properly enabled and functioning on your switches, follow these steps:

  1. Connect an end device to one of the network ports on the switch.
  2. Check the device's network settings to ensure it receives a valid IP address from a trusted DHCP server.
  3. Attempt to connect a device acting as an unauthorized DHCP server to the network.
  4. Verify that the switch detects the unauthorized DHCP server and blocks its operation.
  5. Test network connectivity to ensure that only authorized IP sources are able to communicate.

Note: Enabling DHCP Server Guard or IP Source Guard may impact network connectivity if the necessary configurations are not properly set up. Ensure that you have correctly configured the trusted DHCP servers or authorized IP sources to avoid any disruption in network services.

By following these steps and enabling DHCP Server Guard or IP Source Guard on your Zyxel Nebula switches, you can enhance the security of your network and protect against potential threats.

Adam