Configuring Defense on the Layer-3 Interfaces Against Attacks by Changing CHADDRs

This section describes how to prevent the attacker connected to the Layer-3 interface from changing the CHADDR value to launch attacks.

Prerequisites

Before preventing the attacker from changing CHADDR through a Layer-3 device, complete the following tasks:

Configure the DHCP server.
Configure a DHCP relay agent.

Procedure

Access the system view.
```
system-view
```
Enable DHCP snooping.
```
dhcp snooping enable
```
Enable DHCP snooping globally before enabling DHCP snooping on a Layer-3 interface.
Access the interface view.
```
interface interface-type interface-number
```
DHCP snooping can be enabled on the following Layer-3 interfaces:
- Ethernet interfaces
- Ethernet sub-interfaces
- Vlanif interfaces
- Layer-3 Eth-Trunk interfaces
Enable DHCP snooping on the interface.
```
dhcp snooping enable
```
Enable the device to checking CHADDRs of packets on the interface.
```
dhcp snooping check dhcp-chaddr enable
```
Enable checking CHADDRs. The device compares the CHADDR field in the received DHCP Request message with the source MAC address in the frame header. If they are inconsistent, the received DHCP request message is considered as an attack packet and is directly discarded.

Follow-up Procedure

Run the display dhcp snooping global command to view global DHCP snooping information.
Run the display dhcp snooping { interface interface-type interface-number } command to check DHCP snooping information on a specified interface.

If the following results are displayed, the configuration is successful:

DHCP snooping is enabled in both the system and interface views.
Statistics about the discarded ARP, IP, and DHCP packets are displayed.

<sysname> display dhcp snooping interface GigabitEthernet 0/0/1
 dhcp snooping enable
 dhcp snooping check dhcp-chaddr enable
 arp total                  0
 ip total                   0
 dhcp-request total         0
 chaddr&src mac total       0
 dhcp-reply total           0