Switch DHCP Server Policy ARP Inspection Trusted Servers Configuration

Dashboard Location: Switching > DHCP Servers and ARP

Switch DHCP server policy ARP inspection trusted servers configuration in Meraki networks provides administrators with the capability to define authorized DHCP servers that bypass ARP inspection security controls, enabling secure network operations while maintaining protection against rogue servers. This functionality supports trusted server identification, MAC address binding, VLAN-specific server authorization, IP address validation, and granular ARP inspection control. Trusted server management is essential for enterprise networks with legitimate DHCP services, distributed server architectures, VLAN-segmented environments, and complex network topologies requiring selective ARP inspection bypass.

Example-1: The example below demonstrates switch DHCP ARP inspection trusted servers configuration.

This configuration defines trusted DHCP servers that bypass ARP inspection security controls. The example includes MAC address binding, VLAN-specific authorization, and IP address validation for selective ARP inspection bypass.

This configuration establishes ARP inspection trusted servers using “arp_inspection_trusted_servers” arrays containing server definitions with “mac” addresses for hardware identification, “vlan” specifications for network segmentation, “ipv4_address” for IP binding validation, and “trusted_server_name” for administrative labeling. Each trusted server entry (s1, s2, s3) bypasses Dynamic ARP Inspection checks within their designated VLAN boundaries, enabling legitimate DHCP services while maintaining security against ARP spoofing attacks. The configuration demonstrates both redundant servers (s1 (mac address “AA:BB:CC:DD:EE:FF”) and s2 (mac address “BB:CC:DD:EE:FF:AA”) sharing the same IP “1.2.3.4” in VLAN 100) and segmented servers (s3 with mac address “CC:DD:EE:FF:AA:BB” and with IP address “10.20.30.40” operating in VLAN 101) for comprehensive network protection and service availability.

meraki:
  domains:
    - name: !env domain
      administrator:
        name: !env org_admin
      organizations:
        - name: !env org
          networks:
            - name: !env network_name
              product_types:
                - appliance
                - switch
                - wireless
                - camera
                - sensor
                - cellularGateway
              switch:
                dhcp_server_policy:
                  arp_inspection_trusted_servers:
                    - mac: AA:BB:CC:DD:EE:FF
                      vlan: 100
                      ipv4_address: "1.2.3.4"
                      trusted_server_name: s1
                    - mac: BB:CC:DD:EE:FF:AA
                      vlan: 100
                      ipv4_address: "1.2.3.4"
                      trusted_server_name: s2
                    - mac: CC:DD:EE:FF:AA:BB
                      vlan: 101
                      ipv4_address: "10.20.30.40"
                      trusted_server_name: s3