How to protect an Aruba Mobility Access Switch infrastructure from a rouge DHCP server ?
An attacker who attempts to place a rogue DHCP server on the network could potentially hand out incorrect DHCP information, including the default gateway and DNS for the clients to use, which could cause a man-in-the-middle attack and allow eavesdropping by the attacker.
This can be mitigated by configuring DHCP trust functionality on the Aruba Mobility access switch, The DHCP trust functionality only allows server responses from specifically trusted physical interfaces and port channel interfaces that lead to your authorized DHCP servers.
The DHCP trust functionality provides support to filter the IPv4 DHCP packets from the unauthorized devices. The following IPv4 DHCP messages are filtered on an interface configured not to trust DHCP.
DHCP offer messages
DHCP Ack messages
This article applies to all Mobility Access Switches running a minimum of AOS version 126.96.36.199.
Environment: All the sample outputs in this article are from Aruba S2500 Mobility Access Switch running AOS version 188.8.131.52.
DHCP trust can be enabled on a physical interfaces and port channel interfaces. By default, the DHCP Trust setting in a port-security-profile is to filter (block) these OFFER and ACK messages.
Note :- You must explicitly enable DHCP Trust (trust dhcp) in the port-security profile (if applied to a port) to allow these DHCP messages from valid devices.
(host)(config)# interface-profile port-security-profile <profile-name>
(host) (Port security profile "<profile-name >")# trust dhcp
When no trust dhcp is configured the DHCP packets are dropped and a message is logged.
The following example shows how to enable the DHCP Trust functionality:
(ArubaS2500-24P)(config)# interface-profile port-security-profile ps1
(ArubaS2500-24P) (Port security profile "<ps1>")#trust dhcp
To enable the Port Security functionality on an interface, you must attach a port-security profile to it. Use the following commands to associate a port-security profile with an interface:
(ArubaS2500-24P)(config) #interface gigabitethernet <slot/mod/port>
(host) (gigabitethernet "<slot/mod/port>") #port-security-profile <profile-name>
(host) (config) #interface port-channel <id>
(host) (port-channel "<id>") #port-security-profile <profile-name>
(ArubaS2500-24P) (config) #show interface-profile port-security-profile ps1
Port security profile "ps1"
IPV6 RA Guard Action N/A
IPV6 RA Guard Auto Recovery Time N/A
MAC Limit N/A
MAC Limit Action N/A
MAC Limit Auto Recovery Time N/A
Trust DHCP Yes
Port Loop Protect N/A
Port Loop Protect Auto Recovery Time N/A
Sticky MAC N/A
IP Source Guard N/A
Dynamic Arp Inspection N/A