This section describes how to prevent an attacker connected to a Layer-2 interface from launching bogus DHCP server attacks.
Before preventing a bogus DHCP server attack on a Layer-2 interface, configure a DHCP server.
When DHCP snooping is disabled, only the VLAN or interface connected to a DHCP server is trusted by default.
When DHCP snooping is enabled, the VLAN or interface connected to a DHCP server is untrusted by default.
The device discards messages sent by the untrusted VLAN or interface. To configure the VLAN or interface to be trusted, run the dhcp snooping trusted command.
system-view
dhcp snooping enable
Enable DHCP snooping globally before enabling DHCP snooping on a VLAN.
vlan vlan-id
port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
Only Layer-2 interfaces can be assigned to a VLAN.
dhcp snooping enable interface interface-type interface-number
dhcp snooping trusted [ interface interface-type interface-number ]
DHCP messages sent by the trusted VLAN and interface are all forwarded properly.
DHCP snooping is enabled in both the system and interface views.
The interface connected to a client is untrusted, whereas the interface connected to a network is trusted.
Statistics about the discarded ARP, IP, and DHCP packets are displayed.
<sysname> display dhcp snooping vlan 10 interface GigabitEthernet 0/0/1 dhcp snooping enable interface GigabitEthernet 0/0/1 dhcp snooping trusted interface GigabitEthernet 0/0/1 arp total 0 ip total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0