Configuring a Layer-3 Interface to Defend Against Man-in-the-Middle and IP/MAC Spoofing Attacks

This section describes how to prevent an attacker connected to a Layer-3 interface from launching man-in-the-middle or IP/MAC spoofing attacks.

Prerequisites

Before preventing the man-in-the-middle and IP/MAC spoofing attacks on a Layer-3 Interfaces, complete the following tasks:

Configure a DHCP server.
Configure a DHCP relay agent.

Context

Dynamic entries in the DHCP snooping binding table do not need to be manually configured. They are automatically generated after DHCP snooping is enabled. Static entries must be manually configured.

If an IP address is dynamically assigned to a client, a device automatically learns the MAC address of the client and generates an IP and MAC binding entry. This binding table requires no configuration.
If an IP address is statically assigned to a client, a device cannot automatically learn the MAC address of the client or generate an IP and MAC binding entry. You need to create IP and MAC binding table manually.

If you do not create an IP and MAC binding table manually, the following two cases may be encountered:

If the device is configured to forward packets without matching entries, packets from all static IP addresses are forwarded, and all static clients can access the DHCP server properly. By default, the device forwards mismatching packets.
If the device is configured to discard packets without matching entries, packets from all static IP addresses are discarded, and no static clients can access the DHCP server.

After receiving an ARP or an IP packet, the interface matches its source IP and MAC addresses with entries in the DHCP snooping binding table and verify information about the MAC, IP, interface and VLAN.

If they do not match, the packet is discarded.
If they totally match, the packet is forwarded.

Procedure

Access the system view.
```
system-view
```
Enable DHCP snooping.
```
dhcp snooping enable
```
Enable DHCP snooping globally before enabling DHCP snooping on a Layer-3 interface.
Access the interface view.
```
interface interface-type interface-number
```
DHCP snooping can be enabled on the following Layer-3 interfaces:
- Ethernet interfaces
- Ethernet sub-interfaces
- VlanIf interfaces
- Eth-Trunk interfaces
Enable DHCP snooping on the interface.
```
dhcp snooping enable
```

Enable the device to check packets on the interface.

dhcp snooping check { arp | ip | dhcp-chaddr | dhcp-request } enable

Configure a static IP and MAC binding entry.

dhcp snooping bind-table static ip-address ip-address mac-address mac-address

Perform either of the following operations:
- To enable the device to add Option 82 information into packets, run:
```
dhcp option82 insert enable interface interface-type interface-number
```
  If the original message does not carry Option 82, Option 82 is appended to DHCP messages. If the message carries Option 82, Sub-option 9 is added to DHCP messages.
- Enable the device to forcibly add Option 82 into packets, run:
```
dhcp option82 rebuild enable interface interface-type interface-number
```
  Option 82 is appended to DHCP messages if the original DHCP message is not appended with Option 82. If the original DHCP message is appended with Option 82, the original Option 82 is forcibly removed, and new Option 82 is appended.
A binding table with accurate interface information can be created after Option 82 is enabled.
Configure how to process the IP and ARP packets if the DHCP snooping binding table does not contain mapping entries.
1. Specify a rule for processing mismatching packets in the interface view.
```
dhcp snooping nomatch-packet [ arp | ip ] action { forward | discard }
```
2. Access the system view.
```
quit
```
3. Specify a rule for processing mismatching packets in the system view.
```
dhcp snooping nomatch-packet [ arp | ip ] action { forward | discard }
```
If there is no matching entry for a packet in the DHCP snooping binding table, the device processes the packet using a user-defined method.

Follow-up Procedure

Run the display dhcp snooping global command to view global DHCP snooping information.
Run the display dhcp snooping bind-table { ip-address ip-address | mac-address mac-address | vlan vlan-id [ interface interface-type interface-number ] | static | dynamic | all } command to view information about the DHCP snooping binding table.
Run the display dhcp snooping interface interface-type interface-number command to view DHCP snooping information on an interface.
Run the display dhcp option82 interface interface-type interface-number command to view the Option 82 status.

If the following results are displayed, the configuration is successful:

DHCP snooping is enabled in both the system and interface views.
Option 82 is enabled on the interface.
Statistics about the discarded ARP, IP, and DHCP packets are displayed.
Interface names and the matching MAC and IP addresses in the DHCP snooping binding table are displayed.

<sysname> display dhcp snooping interface GigabitEthernet 0/0/1
 dhcp snooping enable                                                                                                               
 dhcp snooping trusted                                                                                                              
 dhcp snooping check arp enable
 arp total                  0
 ip total                   0
 dhcp-request total         0
 chaddr&src mac total       0
 dhcp-reply total           0