Switch DHCP Server Policy Configuration

Dashboard Location: Switching > DHCP Servers and ARP

DHCP Security Policy Management

Switch DHCP server policy configuration in Meraki networks provides administrators with comprehensive DHCP security controls, enabling network protection against rogue DHCP servers, ARP spoofing attacks, and unauthorized network services. This functionality supports DHCP server validation, ARP inspection, policy enforcement, email alerting, and network traffic monitoring. DHCP server policies are essential for maintaining network integrity, preventing IP address conflicts, securing Layer 2 communications, and ensuring reliable network services in enterprise environments.

Diagram

Classes

switch (meraki.domains.organizations.networks)

Name	Type	Constraint	Mandatory	Default Value
dhcp_server_policy	Class	`[dhcp_server_policy]`	No

dhcp_server_policy (meraki.domains.organizations.networks.switch)

Name	Type	Constraint	Mandatory
default_policy	Choice	`allow`, `block`	No
allowed_servers	List	MAC	No
blocked_servers	List	MAC	No
arp_inspection	Boolean	`true`, `false`	No
alerts_email	Boolean	`true`, `false`	No
arp_inspection_trusted_servers	List	`[arp_inspection_trusted_servers]`	No

arp_inspection_trusted_servers (meraki.domains.organizations.networks.switch.dhcp_server_policy)

Name	Type	Constraint	Mandatory	Default Value
mac	MAC		No
vlan	Any	Integer[min: `1`, max: `4094`] or String[matches: `(?:[1-9]	[1-9][0-9]	[1-9][0-9]2
ipv4_address	IP		No
trusted_server_name	String	min: `1`, max: `127`	Yes

Examples

Example-1: The example below demonstrates switch DHCP server policy configuration using tested YAML configuration from pipeline fixtures.

meraki:
  domains:
    - name: "!env domain"
      administrator:
        name: "!env org_admin"
      organizations:
        - name: "!env org"
          networks:
            - name: "!env network_name"
              product_types:
                - appliance
                - switch
                - wireless
                - camera
                - sensor
                - cellularGateway
              switch:
                dhcp_server_policy:
                  default_policy: block
                  allowed_servers:
                    - 00:50:56:00:00:01
                    - 00:50:56:00:00:02
                  blocked_servers:
                    - 00:50:56:00:00:03
                    - 00:50:56:00:00:04
                  arp_inspection: true
                  alerts_email: true
                  arp_inspection_trusted_servers:
                    - mac: AA:BB:CC:DD:EE:FF
                      vlan: 100
                      ipv4_address: "1.2.3.4"
                      trusted_server_name: s1
                    - mac: BB:CC:DD:EE:FF:AA
                      vlan: 100
                      ipv4_address: "1.2.3.4"
                      trusted_server_name: s2
                    - mac: CC:DD:EE:FF:AA:BB
                      vlan: 101
                      ipv4_address: "10.20.30.40"
                      trusted_server_name: s3

Configuration Parameters

Parameter	Type	Required	Description
`dhcp_server_policy`	Object	No	DHCP server policy configuration
`dhcp_server_policy.alerts`	Object	No	Alert configuration for DHCP violations
`dhcp_server_policy.alerts.email`	Object	No	Email alert settings
`dhcp_server_policy.alerts.email.enabled`	Boolean	No	Enable email alerts for DHCP violations (default: false)
`dhcp_server_policy.default_policy`	String	No	Default action for unauthorized DHCP servers: “allow”, “block” (default: “allow”)
`dhcp_server_policy.arp_inspection`	Object	No	ARP inspection configuration
`dhcp_server_policy.arp_inspection.enabled`	Boolean	No	Enable Dynamic ARP Inspection (default: false)