Configuring Defense on the Layer-3 Interfaces Against Attacks by Sending Bogus Packets for Extending IP Leases

This section describes how to prevent the attacker connected to the Layer-3 interface from launching bogus DHCP extended-releasing packet attacks.

Prerequisites

Before preventing the attacker from sending bogus messages for extending IP leases, complete the following tasks:

Configure the DHCP server.
Configure a DHCP relay agent.

Context

The dynamic entries in the DHCP snooping binding table require no configuration. They are automatically generated when Enable DHCP snooping. The static entries, however, require to be manually configured.

If the IP address is dynamically assigned to the client, the device automatically learns the MAC address of the client and generates IP and MAC binding table. This binding table requires no configuration.
If the IP address is statically assigned to the client, the device cannot automatically learn the MAC address of the client and the IP/MAC binding table cannot be generated. You need to create IP and MAC binding table manually.

If you do not create an IP and MAC binding table manually, the following two cases may occur:

If the packet without a matching entry is set to be forwarded, packets from all static IP addresses are forwarded and all static clients can access the DHCP server properly. By default, the device forwards mismatching packets.
If the packet without a matching entry is set to be discarded, packets from all static IP addresses are discarded, and no static clients can access the DHCP server.

After receiving an ARP or an IP packet, the interface matches its source IP and MAC addresses with entries in the DHCP snooping binding table and verify information about the MAC, IP, interface and VLAN.

If they do not match, the packet is discarded.
If they totally match, the packet is forwarded.

Procedure

Access the system view.
```
system-view
```
Enable DHCP snooping.
```
dhcp snooping enable
```
Enable DHCP snooping globally before enabling DHCP snooping on a VLAN.
Set the rate at which DHCP messages are sent.
```
dhcp snooping check dhcp-rate rate
```
Enable the check of the rate at which DHCP messages are sent.
```
dhcp snooping check dhcp-rate enable
```
Access the interface view.
```
interface interface-type interface-number
```
DHCP snooping can be enabled on the following Layer-3 interfaces:
- Ethernet interfaces
- Ethernet sub-interfaces
- Vlanif interfaces
- Layer-3 Eth-Trunk interfaces
Enable DHCP snooping.
```
dhcp snooping enable
```
Enable the device to check DHCP Request messages sent by a specified interface.
```
dhcp snooping check dhcp-request enable
```

Configure a static IP and MAC binding entry.

dhcp snooping bind-table static ip-address ip-address mac-address mac-address

Perform either of the following operations:
- To enable the device to add Option 82 information into packets, run:
```
dhcp option82 insert enable interface interface-type interface-number
```
  If the original message does not carry Option 82, Option 82 is appended to DHCP messages. If the message carries Option 82, Sub-option 9 is added to DHCP messages.
- Enable the device to forcibly add Option 82 into packets, run:
```
dhcp option82 rebuild enable interface interface-type interface-number
```
  Option 82 is appended to DHCP messages if the original DHCP message is not appended with Option 82. If the original DHCP message is appended with Option 82, the original Option 82 is forcibly removed, and new Option 82 is appended.
A binding table with accurate interface information can be created after Option 82 is enabled.

Follow-up Procedure

Run the display dhcp snooping global command to view global DHCP snooping information.
Run the display dhcp snooping bind-table {ip-address ip-address | mac-address mac-address | static | dynamic | all } command to view information about the DHCP snooping binding table.
Run the display dhcp snooping interface interface-type interface-number command to view DHCP snooping information on the interface.
Run the display dhcp option82 interface interface-type interface-number command to view the Option 82 status.

If the following results are displayed, the configuration is successful:

DHCP snooping is enabled in both the system and interface views.
Option 82 is enabled on the interface.
Statistics about the discarded ARP, IP, and DHCP packets are displayed.
Interface names and the matching MAC and IP addresses in the DHCP snooping binding table are displayed.

<sysname> display dhcp snooping interface GigabitEthernet 0/0/1
 dhcp snooping enable
 dhcp snooping check dhcp-request enable
 arp total                  0
 ip total                   0
 dhcp-request total         0
 chaddr&src mac total       0
 dhcp-reply total           0