Mechanism
On a DHCP network, users with static IP addresses may initiate attacks such as bogus DHCP server attacks and bogus DHCP Request message attacks. This brings security risks for authorized DHCP users.
Solution
To prevent attacks from non-DHCP users, enable the device to generate static MAC address entries based on the DHCP snooping binding table, and disable the interface from learning dynamic MAC address entries. Only the messages whose source MAC addresses match the static MAC address entries can pass through the user-side interface on the device, and other messages are discarded. To allow messages from non-DHCP users to pass through the interface, manually configure static MAC address entries for these users.
The device learns and generates dynamic MAC address entries, whereas static MAC address entries are configured using the CLI. A MAC address entry includes the MAC address, VLAN ID, and interface number of the DHCP client. The device implements Layer 2 forwarding based on MAC address entries.