How Do I Defend Against Bogus DHCP Servers at the User Side?
If a bogus DHCP server is deployed on a customer network, STAs may obtain invalid IP addresses from the bogus DHCP server but not from the AC or authorized DHCP server.
To defend against bogus DHCP servers, disable the DHCP trusted port on an AP in service set view. A DHCP server sends three types of DHCP packets: Offer, ACK, and NACK. When the AP receives any of these DHCP messages from a user-side interface, it considers the sender as a bogus DHCP server. The AP then discards the messages and reports the event to the AC over the CAPWAP tunnel.