This section describes how to configure defense against bogus Dynamic Host Configuration Protocol (DHCP) server attacks.
A bogus DHCP server on the network may send a DHCP offer packet to the DHCP client. The DHCP offer packet contains incorrect information such as the incorrect gateway address, incorrect Domain Name Server (DNS) server, and incorrect IP address. As a result, the DHCP client cannot connect to the network or may connect to an incorrect network.
To prevent a bogus DHCP server attack, configure DHCP snooping on the device, configure the network-side interface to be trusted and the user-side interface to be untrusted, and configure the device to discard DHCP reply packets received from untrusted interfaces.
Enable bogus DHCP server detection on the device. The device obtains relevant information about the DHCP server and logs the information, which helps you maintain the network.