How to protect Nebula switches against rogue DHCP servers?
Zyxel Employee
In order to enhance the security of your network switches, Zyxel offers two ways of protecting a network which are DHCP Server Guard and IP Source Guard features on Nebula. These features protect your switches against untrusted DHCP servers, ensuring a safer and more reliable network environment. This guide will walk you through the steps to enable DHCP Server Guard or IP Source Guard on your Zyxel switches.
Topology and Scenario:
The DHCP Server Guard and IP Source Guard features are applicable to various network scenarios where network switches are deployed. Whether it's a small office, a campus network, or an enterprise environment, these features provide an added layer of protection against potential security threats. By enabling DHCP Server Guard or IP Source Guard, you can mitigate the risks associated with unauthorized DHCP servers and prevent IP address spoofing attacks.
Steps:
To enable DHCP Server Guard or IP Source Guard on your Zyxel switches, follow these steps:
- Access to the Nebula Control Center.
- Once logged in, navigate to the Configure > Switches > Switch settings.
[DHCP Server Guard]
- Scroll down to the DHCP Server Guard setting and enable it.
- Save the changes to apply the configuration by clicking save button.
[IP Source Guard ] Pro Pack license required
Nebula IP Source Guard consists of the following two features, which are enabled together when IP Source Guard is enabled:
- DHCP snooping. Use this to filter unauthorized DHCP server packets on the network and to build a binding table dynamically.
- ARP inspection. Use this to filter unauthorized ARP packets on the network.
- Scroll down to the IP Source Guard setting and enable it, keep the trusted DHCP server out of 'Protected ports', and configure untrusted ports and the rest ports to it.
(This example only configured untrusted ports to Protected ports.)
Please note:
If your DHCP-enabled device was already connected to the switch before IP Source Guard was enabled, please make sure to renew the device’s DHCP lease so that the switch can correctly build the DHCP-snooping entry.
- Save the changes to apply the configuration by clicking save button.
Verification and Noted:
To verify that DHCP Server Guard or IP Source Guard is properly enabled and functioning on your switches, follow these steps:
- Connect an end device to one of the network ports on the switch.
- Check the device's network settings to ensure it receives a valid IP address from a trusted DHCP server.
- Attempt to connect a device acting as an unauthorized DHCP server to the network.
- Verify that the switch detects the unauthorized DHCP server and blocks its operation.
- Test network connectivity to ensure that only authorized IP sources are able to communicate.
Note: Enabling DHCP Server Guard or IP Source Guard may impact network connectivity if the necessary configurations are not properly set up. Ensure that you have correctly configured the trusted DHCP servers or authorized IP sources to avoid any disruption in network services.
By following these steps and enabling DHCP Server Guard or IP Source Guard on your Zyxel Nebula switches, you can enhance the security of your network and protect against potential threats.
Adam
Categories
- All Categories
- 435 Beta Program
- 2.7K Nebula
- 176 Nebula Ideas
- 118 Nebula Status and Incidents
- 6.1K Security
- 428 USG FLEX H Series
- 298 Security Ideas
- 1.6K Switch
- 79 Switch Ideas
- 1.2K Wireless
- 44 Wireless Ideas
- 6.7K Consumer Product
- 274 Service & License
- 422 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 89 Security Highlight