When working with various network switches, we may also come across cheaper devices, the so-called “Smart Switch”, i.e. managed switches with much fewer capabilities than their fully managed counterparts. The problem we may encounter is the lack of the DHCP Snooping function directly related to LAN security. DHCP Snooping allows you to protect your LAN from unwanted DHCP servers on the network, although this is not its only function. What if your switch doesn’t support this type of protection?

First, we need to make sure that your switch supports ACL (Access Control List) configuration, if ACLs are supported, you can go ahead. I encountered this problem when configuring the Cisco Business CBS250 Smart Switch. The switch supports ACL, so all is not lost. The configuration we need to do looks like this:

Cisco Business e.g. CBS / SG series:

ip access-list extended DHCP-SRV-DROP
deny udp any 67 any any ace-priority 10
permit ip any any ace-priority 20

interface gi1/0/1
service-acl input DHCP-SRV-DROP default-action permit-any

The above configuration blocks all traffic coming to the gi1/0/1 interface from source port 67/udp, i.e. responses from the DHCP server on a given switch port. You must assign an ACL to each switch port that you want to protect from foreign DHCP servers on the network. An end device e.g. a computer, phone or printer will still be able to correctly obtain the correct IP address from a DHCP server connected to the port without such an ACL.

And what would such a configuration look like for Cisco IOS?

Cisco IOS:

ip access-list extended DHCP-SRV-DROP
10 deny udp any eq 67 any
20 permit ip any any

interface GigabitEthernet1/1
ip access-group DHCP-SRV-DROP in

As you can see, it looks almost identical with minimal changes to the command syntax. However, probably the vast majority of Cisco IOS switches support DHCP Snooping and I recommend using this function first. For other switches, the configuration will be identical, only the command syntax may differ or the whole thing will have to be done from the GUI. It may also happen that your switch does not support ACL, in which case there is nothing you can do about it.