Meraki

Community

DHCP hardening Meraki configuration

CedricMX
Getting noticed
a week ago
a week ago

DHCP hardening Meraki configuration

Hello team

I would like to enforce our DHCP security policy on our Meraki network.

We have several MX and several MS.

On a test site i blocked all IPv4 and IPv6 DHCP servers except my 2 MX firewalls (primary and backup) based on their mac adress.

From what i understand, only the 2 MX will be allowed to send DHCP responses ?

 

Do you know if others parameter can be activated to improve our security posture (Dynamic ARP inspection ??)

 

 

Many thanks !

 

0 Kudos
2 Replies 2
RaphaelL
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Regarding DHCP you are pretty much limited to DAI , mandatory DHCP and DHCP server blacklist / whitelist

oliviaaaaa
Comes here often
Tuesday
Tuesday

Probably the best way to tighten it up is to enable DHCP snooping and mark only MX ports as trusted. Alternatively, you can also use Dynamic ARP Inspection to stop ARP spoofing and monitor for unexpected DHCP activity. In my opinion, this combination covers most of the risks associated with rogue servers.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.