Configuring Defense on the Layer-2 Interfaces Against Attacks by Changing CHADDRs

This section describes how to prevent the attacker connected to the Layer-2 interface from changing the CHADDR value to launch attacks.

Procedure

Access the system view.
```
system-view
```
Enable DHCP snooping.
```
dhcp snooping enable
```
Enable DHCP snooping globally before enabling DHCP snooping on a VLAN.
Access the VLAN view.
```
vlan vlan-id
```
Assign a Layer-2 interfaces to the VLAN.
```
port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
```
Only Layer-2 interfaces can be assigned to a VLAN.

Enable DHCP snooping.

dhcp snooping enable interface interface-type interface-number

Enable the device to check CHADDRs of packets from a specified VLAN.

dhcp snooping check dhcp-chaddr enable interface interface-type interface-number

Follow-up Procedure

Run the display dhcp snooping global command to view global DHCP snooping information.
Run the display dhcp snooping { vlan vlan-id [ interface interface-type interface-number ] } command to view DHCP snooping information on an interface.

If the following results are displayed, the configuration is successful:

DHCP snooping is enabled in both the system and interface views.
Statistics about the discarded ARP, IP, and DHCP packets are displayed.

<sysname> display dhcp snooping vlan 100 interface GigabitEthernet 0/0/1
 dhcp snooping enable interface GigabitEthernet 0/0/1
 dhcp snooping check dhcp-chaddr enable interface GigabitEthernet 0/0/1
 arp total                  0
 ip total                   0
 dhcp-request total         0
 chaddr&src mac total       0
 dhcp-reply total           0