In the CCNA 200-301 exam, you must understand how to secure two fundamental network services: DHCP and ARP. Attackers exploit these protocols to launch man-in-the-middle attacks, denial-of-service, and IP address exhaustion. This chapter covers DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard — the three Cisco switch security features that mitigate these attacks. Mastering these features is essential for passing the Security Fundamentals section (Exam Objective 5.2) and for building secure enterprise networks.
Jump to a section
Imagine a hotel with a central mailroom that assigns rooms to new guests. A guest arrives, requests a room number, and the mailroom assigns one from a list. The guest then writes that room number on all their packages. Now, a malicious guest (attacker) sets up a fake mailroom that also assigns room numbers, handing out the same room number to multiple guests. Chaos ensues — packages go to the wrong rooms, and the real mailroom is overwhelmed. To prevent this, the hotel installs a trusted mailroom (the DHCP server) and an ID check at the door (DHCP snooping). The ID check only allows packets from the trusted mailroom to assign room numbers; any other assignment is dropped. Additionally, the hotel maintains a log of which room number each guest was assigned (the DHCP snooping binding table). Later, when a guest claims to be from room 101, the front desk checks the log before delivering packages. This is Dynamic ARP Inspection: it verifies that the IP-to-MAC mapping matches the binding table. Finally, every time a guest sends a package, the front desk ensures the sender's room number matches the assigned one — that's IP Source Guard. In the network, DHCP snooping builds a trusted database of IP-to-MAC-to-port bindings, DAI uses that database to validate ARP packets, and IP Source Guard filters IP traffic based on the same database. Together, they prevent rogue DHCP servers, ARP spoofing, and IP spoofing.
DHCP Snooping: What It Is and Why It Exists
DHCP snooping is a security feature on Cisco switches that filters untrusted DHCP messages and builds a binding table of IP-to-MAC-to-port mappings. It prevents rogue DHCP servers from offering malicious IP configurations (e.g., setting a rogue default gateway to intercept traffic). The feature operates on a per-VLAN basis and requires you to define trusted and untrusted ports.
How DHCP Snooping Works Step by Step
Trusted vs. Untrusted Ports: Ports connected to legitimate DHCP servers are configured as trusted; all other ports are untrusted by default. Trusted ports can send and receive all DHCP messages. Untrusted ports are restricted: they can only send DHCP requests (DISCOVER, REQUEST, DECLINE, RELEASE, INFORM) and can only receive DHCP offers and acknowledgments from trusted ports. Any DHCP server message (OFFER, ACK, NAK) received on an untrusted port is dropped.
Rate Limiting: DHCP snooping applies rate limiting on untrusted ports to prevent DHCP starvation attacks. The default rate is 15 packets per second (pps) on Cisco IOS. If exceeded, the port is err-disabled (unless configured otherwise).
Binding Table: When a client receives an IP address via DHCP, the switch records the client's MAC address, assigned IP address, VLAN, port, and lease time in the DHCP snooping binding table. This table is used by DAI and IP Source Guard.
Key States, Timers, and Defaults
DHCP Snooping is disabled by default globally and per VLAN.
Default rate limit: 15 pps on untrusted ports.
Binding table aging: Entries are removed when the lease expires or when the client sends a DHCPRELEASE.
Option 82: DHCP snooping can insert the switch's identifier into DHCP packets (relay agent information). This is enabled by default on Cisco switches and can cause issues if the DHCP server doesn't support it.
IOS CLI Verification Commands with Real Example Output
To verify DHCP snooping configuration:
Switch# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Rate limit (pps)
----------------------- ------- -----------------
GigabitEthernet0/1 yes unlimited
GigabitEthernet0/2 no 15To view the binding table:
Switch# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1A:2B:3C:4D:5E 192.168.10.10 86300 dhcp-snooping 10 GigabitEthernet0/2Dynamic ARP Inspection (DAI)
DAI validates ARP packets in a broadcast domain. It intercepts all ARP requests and replies on untrusted ports and verifies that the IP-to-MAC binding matches the DHCP snooping binding table. If no match exists, the packet is dropped. DAI also performs rate limiting to prevent ARP flooding.
How DAI Works:
DAI uses the DHCP snooping binding table as the source of truth.
ARP packets received on trusted ports are not inspected.
On untrusted ports, DAI checks the sender MAC and sender IP in the ARP packet against the binding table.
If the MAC and IP match an entry for that port and VLAN, the packet is forwarded; otherwise, it is dropped.
DAI can also validate that the MAC address in the Ethernet frame matches the sender MAC in the ARP packet (MAC validation).
Default DAI settings:
DAI is disabled by default.
DAI is configured per VLAN.
Rate limiting: 15 pps on untrusted ports by default.
Verification command:
Switch# show ip arp inspection interfaces
Interface Trust State Rate Limit (pps) Burst Interval
--------------- ----------- ----------------- ---------------
Gi0/1 Trusted None N/A
Gi0/2 Untrusted 15 1IP Source Guard
IP Source Guard (IPSG) filters IP traffic based on the DHCP snooping binding table. It prevents IP spoofing by ensuring that a host can only use the IP address assigned to it via DHCP. IPSG creates a per-port ACL that permits traffic from the IP address in the binding table and denies all other traffic from that port.
How IPSG Works:
IPSG is applied on untrusted switchports (access or trunk).
It uses the DHCP snooping binding table to create dynamic ACLs.
When a host sends an IP packet, the switch checks the source IP against the binding table. If the source IP matches an entry for that port and VLAN, the packet is forwarded; otherwise, it is dropped.
IPSG can also verify the source MAC address if configured with the ip verify source port-security command.
Default IPSG settings:
IPSG is disabled by default.
It can be enabled on a per-interface basis.
Verification command:
Switch# show ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1A:2B:3C:4D:5E 192.168.10.10 86300 dhcp-snooping 10 GigabitEthernet0/2How They Interact
DHCP snooping, DAI, and IPSG work together. DHCP snooping creates the binding table. DAI uses it to validate ARP. IPSG uses it to filter IP traffic. All three rely on the same database. If DHCP snooping is disabled, DAI and IPSG cannot function because they have no binding table to reference.
Enable DHCP Snooping Globally
First, enable DHCP snooping globally on the switch. Use the command `ip dhcp snooping` in global configuration mode. This activates the DHCP snooping feature but does not apply it to any VLAN yet. Without this step, DHCP snooping is completely disabled. Example: ``` Switch(config)# ip dhcp snooping ```
Configure DHCP Snooping on VLANs
Specify which VLANs will have DHCP snooping enabled. Use the command `ip dhcp snooping vlan <vlan-id>`. You can specify a single VLAN, a range, or a list. Example: ``` Switch(config)# ip dhcp snooping vlan 10 ``` If you have multiple VLANs, you can add them all in one line: `ip dhcp snooping vlan 10,20,30`. Without this, DHCP snooping is not active on any VLAN even if enabled globally.
Configure Trusted and Untrusted Ports
Identify the port(s) connected to the legitimate DHCP server(s) and configure them as trusted. By default, all ports are untrusted. Use the interface configuration command `ip dhcp snooping trust`. Example: ``` Switch(config)# interface GigabitEthernet0/1 Switch(config-if)# ip dhcp snooping trust ``` All other ports remain untrusted. This ensures that DHCP server messages (OFFER, ACK, NAK) are only accepted from trusted ports.
(Optional) Adjust Rate Limiting
On untrusted ports, you can change the rate limit for DHCP packets. The default is 15 pps. Use the command `ip dhcp snooping limit rate <rate>` in interface configuration mode. Example: ``` Switch(config)# interface GigabitEthernet0/2 Switch(config-if)# ip dhcp snooping limit rate 10 ``` If the rate is exceeded, the port is err-disabled. To recover automatically, you can use `errdisable recovery cause dhcp-rate-limit`.
Enable Dynamic ARP Inspection
Enable DAI on the same VLAN(s). Use the command `ip arp inspection vlan <vlan-id>`. Example: ``` Switch(config)# ip arp inspection vlan 10 ``` By default, DAI is disabled. You can also configure additional validation (e.g., MAC validation) with `ip arp inspection validate src-mac dst-mac ip`.
Enable IP Source Guard
Enable IPSG on untrusted interfaces. Use the command `ip verify source` in interface configuration mode. Example: ``` Switch(config)# interface GigabitEthernet0/2 Switch(config-if)# ip verify source ``` This creates a dynamic ACL allowing only traffic from the IP address in the DHCP snooping binding table. To also verify MAC address, use `ip verify source port-security`.
In an enterprise campus network, DHCP snooping, DAI, and IPSG are typically deployed on access switches where end users connect. Consider a university campus with thousands of students connecting their laptops and smartphones. Without DHCP snooping, a student could plug in a rogue DHCP server (e.g., a Raspberry Pi running a DHCP service) and assign IP addresses that point to a malicious gateway, intercepting all traffic. By enabling DHCP snooping on the access VLANs and trusting only the uplink ports to the core (where the legitimate DHCP server resides), the switch drops any DHCP OFFER from a rogue server.
Another scenario: an attacker on the same VLAN sends gratuitous ARP replies claiming to be the default gateway (192.168.1.1) with the attacker's MAC address. This is ARP spoofing. DAI, using the DHCP snooping binding table, detects that the ARP reply's sender IP (192.168.1.1) does not match any binding on that port (the attacker's port has a different IP assigned) and drops the packet. This prevents the man-in-the-middle attack.
In a data center environment, where servers have static IP addresses, DHCP snooping may not be applicable because the binding table is built from DHCP. For static hosts, you can manually configure static bindings using ip dhcp snooping binding <mac> vlan <vlan> <ip> interface <interface>. Then DAI and IPSG still work.
Common misconfiguration: forgetting to enable DHCP snooping on the VLAN before enabling DAI or IPSG. DAI and IPSG rely on the DHCP snooping binding table; if DHCP snooping is not enabled on the VLAN, the binding table is empty, and all ARP and IP packets on untrusted ports will be dropped, causing a complete connectivity loss. Always verify with show ip dhcp snooping and show ip dhcp snooping binding.
Performance considerations: These features are hardware-based on most Cisco switches (e.g., Catalyst 2960, 3560, 3750, 3850). They use TCAM entries for ACLs and have minimal impact on forwarding performance. However, rate limiting can cause issues if legitimate DHCP traffic exceeds the limit (e.g., during a large number of simultaneous client requests). In such cases, increase the rate limit or configure the port as trusted if it's a known high-traffic port (but be cautious).
Exam Objective 5.2: Describe security program elements (user awareness, training, physical access control, etc.) — but within that, Cisco specifically tests DHCP snooping, DAI, and IPSG under the umbrella of 'Layer 2 security features'. Expect scenario-based questions asking which feature prevents which attack.
Common wrong answers and why: 1. 'Port security prevents ARP spoofing' — No. Port security limits the number of MAC addresses on a port but does not inspect ARP packets. DAI is the correct answer. 2. 'DHCP snooping alone prevents all IP spoofing' — No. DHCP snooping only filters DHCP messages; it does not inspect IP traffic. IPSG is needed for IP spoofing prevention. 3. 'DAI uses the MAC address table' — No. DAI uses the DHCP snooping binding table, not the MAC address table. 4. 'IP Source Guard uses ACLs that must be manually configured' — No. IPSG dynamically creates ACLs based on the binding table.
Specific values and defaults:
Default DHCP snooping rate limit: 15 pps.
Default DAI rate limit: 15 pps.
DHCP snooping is disabled globally and per VLAN by default.
DAI is disabled per VLAN by default.
IPSG is disabled per interface by default.
Calculation traps: None for this topic, but you may be asked to interpret the output of show ip dhcp snooping binding or show ip arp inspection interfaces.
Decision rule: For scenario questions, identify the attack first:
Rogue DHCP server → DHCP snooping.
ARP spoofing / ARP poisoning → DAI.
IP spoofing / IP address hijacking → IPSG.
All three attacks → deploy all three features.
Remember that DAI and IPSG depend on DHCP snooping. If the switch is not configured with DHCP snooping on the VLAN, DAI and IPSG cannot function (unless static bindings are configured).
DHCP snooping filters DHCP messages and builds a binding table of IP-MAC-port-VLAN mappings.
DAI validates ARP packets against the DHCP snooping binding table to prevent ARP spoofing.
IP Source Guard filters IP traffic based on the DHCP snooping binding table to prevent IP spoofing.
All three features are disabled by default; DHCP snooping must be enabled globally and per VLAN.
Default rate limit for DHCP snooping and DAI is 15 packets per second on untrusted ports.
Trusted ports are typically uplinks to legitimate DHCP servers; all other ports are untrusted.
Static bindings can be configured for devices with static IP addresses using 'ip dhcp snooping binding' command.
These come up on the exam all the time. Here's how to tell them apart.
DHCP Snooping
Filters DHCP messages (DISCOVER, OFFER, etc.)
Builds binding table of IP-MAC-port
Prevents rogue DHCP servers
Rate limits DHCP traffic (default 15 pps)
Operates at Layer 2/3 (DHCP is IP/UDP)
Dynamic ARP Inspection (DAI)
Filters ARP messages (request/reply)
Uses binding table from DHCP snooping
Prevents ARP spoofing/poisoning
Rate limits ARP traffic (default 15 pps)
Operates at Layer 2 (ARP is Ethernet)
Mistake
DHCP snooping prevents all DHCP-related attacks, including DHCP starvation.
Correct
DHCP snooping's rate limiting helps mitigate DHCP starvation, but the primary protection against starvation is to limit the number of DHCP requests per second. The binding table itself does not prevent starvation; rate limiting does.
Candidates often think the binding table prevents exhaustion because it tracks leases, but starvation is about flooding requests to exhaust the server's pool.
Mistake
DAI validates all ARP packets on all ports.
Correct
DAI only validates ARP packets received on untrusted ports. Trusted ports (e.g., uplink to router) are exempt from inspection.
The term 'inspection' implies all traffic is inspected, but DAI specifically skips trusted ports to avoid dropping legitimate traffic from switches or routers.
Mistake
IP Source Guard prevents MAC spoofing.
Correct
IP Source Guard checks the source IP address, not the source MAC. To prevent MAC spoofing, use port security or DAI with MAC validation.
The name 'Source Guard' might be misinterpreted as checking the source MAC, but it is the IP source that is verified.
Mistake
You can enable DAI without DHCP snooping if you configure static bindings.
Correct
True! You can configure static bindings using 'ip arp inspection filter' with ACLs, but the typical exam scenario assumes DHCP snooping is the source of bindings. However, static bindings are possible.
Candidates often think DHCP snooping is mandatory, but DAI can use ARP ACLs or static DHCP bindings. The exam may test this nuance.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, but you must configure ARP ACLs or static DHCP snooping bindings. DAI relies on a source of truth to validate ARP packets. Without DHCP snooping, you can define ARP ACLs using 'arp access-list' and apply them with 'ip arp inspection filter' on the VLAN. However, the exam typically assumes DHCP snooping is the binding source.
The default rate limit is 15 packets per second (pps) on untrusted ports for both DHCP snooping and DAI. This can be changed using the 'ip dhcp snooping limit rate' and 'ip arp inspection limit rate' commands respectively.
Partially. DHCP snooping's rate limiting helps mitigate starvation by limiting the number of DHCP requests per second from an untrusted port. However, the primary defense against starvation is to limit the number of leases per port or use other mechanisms like DHCP snooping's 'ip dhcp snooping limit rate'.
IP Source Guard (IPSG) filters IP traffic based on the source IP address, using the DHCP snooping binding table. Port security limits the number of MAC addresses allowed on a port and can shut down the port if exceeded. IPSG prevents IP spoofing; port security prevents MAC flooding and unauthorized MACs.
Use the global configuration command 'ip dhcp snooping binding <mac-address> vlan <vlan-id> <ip-address> interface <interface-id>'. This adds a static entry to the binding table, which DAI and IPSG can use. Example: 'ip dhcp snooping binding 0000.1111.2222 vlan 10 192.168.10.50 interface GigabitEthernet0/3'.
The port is placed in err-disabled state. You can manually recover it with 'shutdown' followed by 'no shutdown', or configure automatic recovery using 'errdisable recovery cause dhcp-rate-limit' and 'errdisable recovery interval <seconds>'.
Yes, DHCP snooping can be enabled on trunk ports. However, you must configure trust appropriately. The trunk port connecting to a DHCP server should be trusted. On trunk ports carrying multiple VLANs, DHCP snooping operates per VLAN.
You've just covered DHCP and ARP Attack Mitigation — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?