Configuring a Layer-2 Interface to Defend Against Man-in-the-Middle and IP/MAC Spoofing Attacks

This section describes how to prevent an attacker connected to the Layer-2 interface from launching man-in-the-middle or IP/MAC spoofing attacks.

Prerequisites

Before preventing the man-in-the-middle and IP/MAC spoofing attacks on a Layer-2 Interface, configure a DHCP server.

Context

Dynamic entries in the DHCP snooping binding table do not need to be manually configured. They are automatically generated after DHCP snooping is enabled. Static entries must be manually configured.

If an IP address is dynamically assigned to a client, a device automatically learns the MAC address of the client and generates an IP and MAC binding entry. This binding table requires no configuration.
If an IP address is statically assigned to a client, a device cannot automatically learn the MAC address of the client or generate an IP and MAC binding entry. You need to create IP and MAC binding table manually.

If you do not create an IP and MAC binding table manually, the following two cases may occur:

If the device is configured to forward packets without matching entries, packets from all static IP addresses are forwarded, and all static clients can access the DHCP server properly. By default, the device forwards mismatching packets.
If the device is configured to discard packets without matching entries, packets from all static IP addresses are discarded, and no static clients can access the DHCP server.

After receiving an ARP or an IP packet, the interface matches its source IP and MAC addresses with entries in the DHCP snooping binding table and verify information about the MAC, IP, interface and VLAN.

If they do not match, the packet is discarded.
If they totally match, the packet is forwarded.

Procedure

Access the system view.
```
system-view
```
Enable DHCP snooping.
```
dhcp snooping enable
```
Enable DHCP snooping globally before enabling DHCP snooping on a VLAN.
Access the VLAN view.
```
vlan vlan-id
```
Assign a Layer-2 interface to the VLAN.
```
port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
```
Only Layer-2 interfaces can be assigned to a VLAN.

Enable DHCP snooping.

dhcp snooping enable interface interface-type interface-number

Trust the VLAN or interface connected to a DHCP server.
```
dhcp snooping trusted interface interface-type interface-number
```
DHCP messages sent by the trusted VLAN and interface are all forwarded properly.

Enable the VLAN packet check.

dhcp snooping check { arp | ip | dhcp-chaddr | dhcp-request } enable interface interface-type interface-number

Configure a static IP and MAC binding entry.

dhcp snooping bind-table static ip-address ip-address mac-address mac-address interface interface-type interface-number

Perform either of the following operations:
- To enable the device to add Option 82 information into packets, run:
```
dhcp option82 insert enable interface interface-type interface-number
```
  If the original message does not carry Option 82, Option 82 is appended to DHCP messages. If the message carries Option 82, Sub-option 9 is added to DHCP messages.
- Enable the device to forcibly add Option 82 into packets, run:
```
dhcp option82 rebuild enable interface interface-type interface-number
```
  Option 82 is appended to DHCP messages if the original DHCP message is not appended with Option 82. If the original DHCP message is appended with Option 82, the original Option 82 is forcibly removed, and new Option 82 is appended.
A binding table with accurate interface information can be created after Option 82 is enabled.
Configure how to process the IP and ARP packets if the DHCP snooping binding table does not contain mapping entries.
1. Specify a rule for processing mismatching packets in the VLAN view.
```
dhcp snooping nomatch-packet { arp | ip } action { forward | discard } interface interface-type interface-number
```
2. Access the system view.
```
quit
```
3. Specify a rule for processing mismatching packets in the system view.
```
dhcp snooping nomatch-packet [ arp | ip ] action { forward | discard }
```
If there is no matching entry for a packet in the DHCP snooping binding table, the device processes the packet using a user-defined method.

Follow-up Procedure

Run the display dhcp snooping global command to view global DHCP snooping information.
Run the display dhcp snooping bind-table { ip-address ip-address | mac-address mac-address | vlan vlan-id [ interface interface-type interface-number ] | static | dynamic | all } command to view information about the DHCP snooping binding table.
Run the display dhcp snooping { vlan vlan-id [ interface interface-type interface-number ] } command to view DHCP snooping information on a specified interface.
Run the display dhcp option82 { [ vlan vlan-id ] interface interface-type interface-number } command to view the Option 82 status.

If the following results are displayed, the configuration is successful:

DHCP snooping is enabled in both the system and interface views.
Option 82 is enabled on the interface.
Statistics about the discarded ARP, IP, and DHCP packets are displayed.
Interface names and the matching MAC and IP addresses in the DHCP snooping binding table are displayed.

<sysname> display dhcp snooping vlan 100 interface GigabitEthernet 0/0/1
 dhcp snooping enable interface GigabitEthernet 0/0/1                                                                                
 dhcp snooping trusted interface GigabitEthernet 0/0/1                                                                               
 dhcp snooping check ip enable interface GigabitEthernet 0/0/1 
 arp total                  0  
 ip total                   0
 dhcp-request total         0
 chaddr&src mac total       0   
 dhcp-reply total           0