Wired Intelligent Edge (Campus Switching and Routing)

How to protect an Aruba Mobility Access Switch infrastructure from a rouge DHCP server ?

Aruba Employee
Aruba Employee

An attacker who attempts to place a rogue DHCP server on the network could potentially hand out incorrect DHCP information, including the default gateway and DNS for the clients to use, which could cause a man-in-the-middle attack and allow eavesdropping by the attacker.

This can be mitigated by configuring DHCP trust functionality on the Aruba Mobility access switch, The DHCP trust functionality only allows server responses from specifically trusted physical interfaces and port channel interfaces that lead to your authorized DHCP servers.

The DHCP trust functionality provides support to filter the IPv4 DHCP packets from the unauthorized devices. The following IPv4 DHCP messages are filtered on an interface configured not to trust DHCP.

DHCP offer messages
DHCP Ack messages


This article applies to all Mobility Access Switches running a minimum of AOS version


Environment: All the sample outputs in this article are from Aruba S2500 Mobility Access Switch running AOS version


DHCP trust can be enabled on a physical interfaces and port channel interfaces. By default, the DHCP Trust setting in a port-security-profile is to filter (block) these OFFER and ACK messages.


Note :-  You must explicitly enable DHCP Trust (trust dhcp) in the port-security profile (if applied to a port) to allow these DHCP messages from valid devices.

(host)(config)# interface-profile port-security-profile <profile-name>
(host) (Port security profile "<profile-name >")# trust dhcp

When no trust dhcp is configured the DHCP packets are dropped and a message is logged.

The following example shows how to enable the DHCP Trust functionality:

(ArubaS2500-24P)(config)# interface-profile port-security-profile ps1
(ArubaS2500-24P) (Port security profile "<ps1>")#trust dhcp

To enable the Port Security functionality on an interface, you must attach a port-security profile to it. Use the following commands to associate a port-security profile with an interface:

For Gigabitethernet:

(ArubaS2500-24P)(config) #interface gigabitethernet <slot/mod/port>
(host) (gigabitethernet "<slot/mod/port>") #port-security-profile <profile-name>

For Port-channel:

(host) (config) #interface port-channel <id>
(host) (port-channel "<id>") #port-security-profile <profile-name>

(ArubaS2500-24P) (config) #show interface-profile port-security-profile ps1

    Port security profile "ps1"
  Parameter                                        Value
  ---------                                        -----
IPV6 RA Guard Action                                N/A
IPV6 RA Guard Auto Recovery Time                    N/A
MAC Limit                                           N/A
MAC Limit Action                                    N/A
MAC Limit Auto Recovery Time                        N/A
Trust DHCP                                          Yes
Port Loop Protect                                   N/A
Port Loop Protect Auto Recovery Time                N/A
Sticky MAC                                          N/A
IP Source Guard                                     N/A
Dynamic Arp Inspection                              N/A


Version history
Revision #:
1 of 1
Last update:
‎07-11-2014 02:22 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: