Protecting your network from a rogue DHCP server simply means that you are telling the OLT on which port it will receive and push down DHCP addresses to connected clients and what to do if it does receive an IP address in the upstream direction (from ONU’s to OLT). 

DHCP spoofing occurs when an attacker attempts to respond to DHCP requests by trying to list itself (spoof) as the default gateway or DNS server, initiating a man in the middle. Should this be successful, hackers can intercept traffic from your users before forwarding to the real gateway to perform DoS by flooding the real DHCP server with requests to choke IP address resources. 

This does not always mean that you have an attacker in your network, it can also be that a home user is using a router not supplied by the Internet Service Provider, and by not having these simple precautions in place, it can flood your network and bring your users to a standstill. 

In your BDCOM CLI (Command Line Interface), you will use the following commands:

Switch#config

Switch_config# ip dhcp-relay snooping

Switch_config# ip dhcp-relay snooping vlan # (VLAN number that you are using)

To trust the DHCP Server

Switch#config

Switch_config# interface GigaEthernet 0/1

Switch_config_g0/1# dhcp snooping trust 

Remember to save the changes made.

In this scenario, we used a standard default VLAN 1 and our GigaEthernet 0/1 port is where our DHCP Server is connected to the BDCOM OLT. 

Need more info or have any questions? Leave a comment below or get in touch with our technical team.

For more technical insights and tips, we encourage you to register for our online BDCOM GPON technical training. Click here to find our more.