Skip to content

Switch DHCP Server Policy Configuration

Dashboard Location: Switching > DHCP Servers and ARP

DHCP Security Policy Management

Switch DHCP server policy configuration in Meraki networks provides administrators with comprehensive DHCP security controls, enabling network protection against rogue DHCP servers, ARP spoofing attacks, and unauthorized network services. This functionality supports DHCP server validation, ARP inspection, policy enforcement, email alerting, and network traffic monitoring. DHCP server policies are essential for maintaining network integrity, preventing IP address conflicts, securing Layer 2 communications, and ensuring reliable network services in enterprise environments.

Diagram

Diagram

Classes

switch (meraki.domains.organizations.networks)

NameTypeConstraintMandatoryDefault Value
dhcp_server_policyClass[dhcp_server_policy]No

dhcp_server_policy (meraki.domains.organizations.networks.switch)

NameTypeConstraintMandatoryDefault Value
default_policyChoiceallow, blockNo
allowed_serversListMACNo
blocked_serversListMACNo
arp_inspectionBooleantrue, falseNo
alerts_emailBooleantrue, falseNo
arp_inspection_trusted_serversList[arp_inspection_trusted_servers]No

arp_inspection_trusted_servers (meraki.domains.organizations.networks.switch.dhcp_server_policy)

NameTypeConstraintMandatoryDefault Value
macMACNo
vlanAnyInteger[min: 1, max: 4094] or String[matches: `(?:[1-9][1-9][0-9][1-9][0-9]2
ipv4_addressIPNo
trusted_server_nameStringmin: 1, max: 127Yes

Examples

Example-1: The example below demonstrates switch DHCP server policy configuration using tested YAML configuration from pipeline fixtures.

meraki:
domains:
- name: "!env domain"
administrator:
name: "!env org_admin"
organizations:
- name: "!env org"
networks:
- name: "!env network_name"
product_types:
- appliance
- switch
- wireless
- camera
- sensor
- cellularGateway
switch:
dhcp_server_policy:
default_policy: block
allowed_servers:
- 00:50:56:00:00:01
- 00:50:56:00:00:02
blocked_servers:
- 00:50:56:00:00:03
- 00:50:56:00:00:04
arp_inspection: true
alerts_email: true
arp_inspection_trusted_servers:
- mac: AA:BB:CC:DD:EE:FF
vlan: 100
ipv4_address: "1.2.3.4"
trusted_server_name: s1
- mac: BB:CC:DD:EE:FF:AA
vlan: 100
ipv4_address: "1.2.3.4"
trusted_server_name: s2
- mac: CC:DD:EE:FF:AA:BB
vlan: 101
ipv4_address: "10.20.30.40"
trusted_server_name: s3

Configuration Parameters

ParameterTypeRequiredDescription
dhcp_server_policyObjectNoDHCP server policy configuration
dhcp_server_policy.alertsObjectNoAlert configuration for DHCP violations
dhcp_server_policy.alerts.emailObjectNoEmail alert settings
dhcp_server_policy.alerts.email.enabledBooleanNoEnable email alerts for DHCP violations (default: false)
dhcp_server_policy.default_policyStringNoDefault action for unauthorized DHCP servers: “allow”, “block” (default: “allow”)
dhcp_server_policy.arp_inspectionObjectNoARP inspection configuration
dhcp_server_policy.arp_inspection.enabledBooleanNoEnable Dynamic ARP Inspection (default: false)