This section describes how to prevent an attacker connected to a Layer-3 interface from launching bogus DHCP server attacks.
Before preventing a bogus DHCP server attack on a device, complete the following tasks:
Configure the DHCP server.
Configure a DHCP relay agent.
When DHCP snooping is disabled, only the VLAN or interface connected to a DHCP server is trusted by default.
When DHCP snooping is enabled, the VLAN or interface connected to a DHCP server is untrusted by default.
The device discards messages sent by the untrusted VLAN or interface. To configure the VLAN or interface to be trusted, run the dhcp snooping trusted command.
system-view
dhcp snooping enable interface interface-type interface-number
Enable DHCP snooping globally before enabling DHCP snooping on a Layer-3 interface.
interface interface-type interface-number
DHCP snooping can be enabled on the following Layer-3 interfaces:
Ethernet interfaces
Ethernet sub-interfaces
Vlanif interfaces
Layer-3 Eth-Trunk interfaces
dhcp snooping enable
dhcp snooping trusted
DHCP snooping is enabled in both the system and interface views.
The interface connected to a client is untrusted, whereas the interface connected to a network is trusted.
Statistics about the discarded ARP, IP, and DHCP packets are displayed.
<sysname> display dhcp snooping interface GigabitEthernet 0/0/1
dhcp snooping enable
dhcp snooping trusted
arp total 0
ip total 0
dhcp-request total 0
chaddr&src mac total 0
dhcp-reply total 0