UniFi DHCP Guarding – How-to block rogue DHCP servers on your network
DHCP guarding is an often overlooked layer of network security. DHCP guarding tells your switch to watch broadcast traffic for DHCP and if the specified dhcp server(s) aren’t the devices handing out DHCP — it kills the traffic and doesn’t allow unauthorized DHCP servers to operate. Other vendors implement this protection and may call it something different. It’s quick and easy to setup on UniFi. If you want to see this setup on other vendors please let me know below!
Hire us! https://williehowe.com
Want to join us in learning how to deploy network services like this? Put your name on the training list now: https://williehowe.com/training/
Name Cheap Affiliate Link: https://namecheap.pxf.io/oqZMv9
Affiliate Links (I earn a small percentage of the sale if you use these links):
UniFi Store General Link: https://store.ui.com/?a_aid=WillieHowe
My AmazonLink: https://www.amazon.com/shop/williehowe
Netool: https://netool.io use code WHT to save at least 10%!
Digital Ocean Affiliate Link: https://m.do.co/c/39aaf717223f
Patreon Link: https://www.patreon.com/williehowe
Contact us for network consulting and best practices deployment today! We support all Grandstream, Synology, DrayTek, Obihai, Poly, Ubiquiti, MikroTik, Extreme, Palo Alto, and more!
Come back for the next video!
Twitter – @WillieHowe
TikTok – @whowe82
SUBSCRIBE! THUMBS-UP! Comment and Share!
ip address
Great video. At our church Unifi periodically informs me of a duplicate IP address on our network. I have had no luck tracking down the rogue DHCP server. I'll be turning this on and presumably the rogue device will stop working and we will discover what it is and where it is lol.
When you said switch did you mean router (i.e. UDM)?
Yeah buddy! Juniper switches come with dhcp guard enabled by default and all access ports are non trusted unless you specifically set them to trust the dhcp server. Can cause headaches if you don’t know but dhcp guard is great to keep in place
Yessss this is one of my favorite features because a couple of offices were crippled after somebody brought in Pitney Bowes postage meters that included nano routers by Tplink and these nano routers FORCED DHCP server to on in order to be DHCP CLIENTS like Wtf. Since then i have been adament about using DHCP guarding, snooping, inspection etc. but Unifis solution is bar none the easiest.
Would have loved to see some tries from another DHCP server trying to be it’s server
Would like to hear your explanation of how DNS Shield works too.
Will this still allow PXE booting?
DHCP Guarding is turned on on my default network but I have two VLANs that multicast two internal originated video feeds to two monitors. Do those VLAN networks need to have guarding on and if so is the IP address of the DHCP server the same as on the defailt network?
Perfect timing. I am having issues with DHCP Guarding not working. I can see you have DHCP Snooping enabled (which I don't), is that a requirement?
does this protect against arp spoofing, what about dynamic arp inspection?