On the CCNA 200-301 exam, Cisco loves to test your ability to distinguish between similar-sounding security features. Port Security, DHCP Snooping, Dynamic ARP Inspection (DAI), and IP Source Guard (IPSG) all operate at Layer 2, but each targets a different type of attack. Confusing them is one of the most common exam traps, costing candidates easy points. Mastering these distinctions is not just exam-critical—it's foundational for securing real enterprise access-layer networks. This chapter covers Exam Objective 5.1: Security Features.
Jump to a section
Imagine a busy international airport with multiple security layers. Port Security is like having a dedicated gate agent who only allows passengers with a confirmed ticket and matching ID to board a specific flight. The agent checks that the passenger's name (MAC address) is on the manifest; if an unknown person tries to board, the agent locks the gate (error-disable the port). DHCP Snooping is like the check-in counter that validates all baggage tags. When a passenger checks a bag, the counter records the tag number (IP-MAC binding) in a secure database (DHCP Snooping binding table). If someone tries to sneak a bag onto the carousel without a valid tag, the counter rejects it (drop DHCP messages from untrusted ports). Dynamic ARP Inspection (DAI) is like the security checkpoint that verifies your boarding pass matches your ID and flight number. It cross-references the passenger's name and flight (IP-MAC binding) against the check-in database; if there's a mismatch, security stops you (drop ARP reply). IP Source Guard is like the final boarding gate where they scan your boarding pass and only let you through if the pass matches the flight and seat. It uses the check-in database to permit only packets with your assigned IP and MAC, blocking any impersonator trying to board with a fake ticket. Each layer protects against a different threat: Port Security stops unauthorized devices, DHCP Snooping prevents rogue DHCP servers, DAI prevents ARP spoofing, and IPSG prevents IP spoofing. Together, they create a defense-in-depth for the airport's operations.
What Are These Features and Why Do They Exist?
Cisco's Layer 2 security features protect the access layer from common attacks. On the CCNA 200-301, you must understand the purpose and operation of each. They are often deployed together, but each has a distinct role.
Port Security restricts the number of MAC addresses allowed on a switch port and optionally specifies allowed MAC addresses. It prevents MAC flooding attacks (where an attacker floods the switch with fake MAC addresses to overflow the CAM table) and unauthorized device connection. Default: disabled. Maximum MAC addresses per port: 1 (sticky) or configurable up to 1024. Violation modes: protect (drops unknown MACs but does not notify), restrict (drops and sends SNMP trap), shutdown (error-disables the port). The switch learns MAC addresses dynamically or via sticky learning. If a violation occurs, the port can be error-disabled until manually recovered or via errdisable recovery.
DHCP Snooping acts as a firewall between untrusted (typically access) ports and trusted (uplink) ports. It filters DHCP messages based on message type and port trust state. It builds a DHCP Snooping binding table that maps client MAC address, IP address, VLAN, and port. This table is used by DAI and IPSG. Default: disabled globally and per VLAN. Trusted ports are typically uplinks to DHCP servers or other switches. Untrusted ports are access ports where DHCP messages are inspected. The switch drops DHCP server messages (OFFER, ACK, etc.) received on untrusted ports (prevents rogue DHCP server). It also rate-limits DHCP traffic on untrusted ports (default 100 packets per second). The binding table entries have a lease time (default same as DHCP lease).
Dynamic ARP Inspection (DAI)
DAI validates ARP packets in a VLAN by intercepting all ARP requests and replies on untrusted ports. It compares the sender MAC and IP in the ARP packet against the DHCP Snooping binding table. If no match is found, the packet is dropped. DAI also validates the source MAC in the Ethernet header against the sender MAC in the ARP body (default: enabled). It prevents ARP spoofing attacks where an attacker sends fake ARP replies to impersonate another host. DAI requires DHCP Snooping to be enabled on the VLAN (or static ARP ACLs can be used). Default: disabled per VLAN. Rate limiting on untrusted ports (default 15 pps for ARP packets).
IP Source Guard (IPSG)
IPSG filters IP traffic on a per-port basis based on the source IP address. It uses the DHCP Snooping binding table to permit only packets with a source IP that matches the binding for that port. Optionally, it can also filter source MAC (IP Source Guard with IP-MAC filtering). It prevents IP spoofing attacks where an attacker sends packets with a fake source IP. Default: disabled per interface. When enabled, the switch installs a per-port ACL that drops any IP packet with a source IP not in the binding table. IPSG does not inspect ARP; that's DAI's job. IPSG can be used with static IP entries via ip source binding.
How They Interact
DHCP Snooping provides the binding table that DAI and IPSG use.
Port Security is independent but often used alongside to restrict MAC addresses.
DAI validates ARP; IPSG validates IP packets (excluding ARP).
All four can be enabled simultaneously for defense in depth.
Key IOS CLI Verification Commands
show port-security
show port-security interface GigabitEthernet0/1
show ip dhcp snooping binding
show ip dhcp snooping statistics
show ip arp inspection interfaces
show ip arp inspection statistics vlan 10
show ip source guard
show ip verify source interface GigabitEthernet0/1Example output for show ip dhcp snooping binding:
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:11:22:33:44:55 192.168.1.10 86300 dhcp-snooping 10 GigabitEthernet0/1Example output for show ip arp inspection interfaces:
Interface Trust State Rate (pps) Burst Interval
--------- ----------- ---------- ---------------
Gi0/1 Untrusted 15 1
Gi0/24 Trusted N/A N/ADefaults Summary
| Feature | Default State | Key Default Value | |---------|---------------|-------------------| | Port Security | Disabled per port | Max MACs: 1; Violation: shutdown | | DHCP Snooping | Disabled globally; no VLAN enabled | Rate limit: 100 pps on untrusted | | DAI | Disabled per VLAN | Rate limit: 15 pps on untrusted; source MAC validation: enabled | | IPSG | Disabled per interface | Filter source IP only (no MAC) |
Enable DHCP Snooping
DHCP Snooping must be enabled first because DAI and IPSG rely on its binding table. Use `ip dhcp snooping` globally. Then enable it on specific VLANs with `ip dhcp snooping vlan <vlan-id>`. Configure trusted ports (uplinks) with `ip dhcp snooping trust` on the interface. All other ports remain untrusted by default. Verify with `show ip dhcp snooping`.
Enable Dynamic ARP Inspection
On the same VLANs, enable DAI with `ip arp inspection vlan <vlan-id>`. By default, DAI validates source MAC and destination MAC. You can optionally disable validation with `no ip arp inspection validate src-mac dst-mac ip`. Set the rate limit on untrusted ports using `ip arp inspection limit rate 15` (default 15 pps). Use `ip arp inspection trust` on trusted ports (usually the same as DHCP snooping trust).
Enable IP Source Guard
On each access interface, enable IPSG with `ip verify source` (filters source IP only) or `ip verify source port-security` (filters source IP and MAC, requires port security). The switch automatically creates a port ACL to drop traffic from unknown sources. Verify with `show ip verify source interface <int>`.
Configure Port Security
On access ports, enable port security with `switchport port-security`. Set maximum MAC addresses with `switchport port-security maximum <number>`. Use `switchport port-security mac-address sticky` to learn MACs dynamically and save them in running config. Configure violation mode: `switchport port-security violation {protect | restrict | shutdown}`. Shutdown mode is default and error-disables the port.
Verify and Troubleshoot
Check for error-disabled ports due to port security violation with `show interfaces status err-disabled`. Clear the error-disabled state with `shutdown` followed by `no shutdown` on the interface, or configure errdisable recovery. Use `show ip dhcp snooping binding` to confirm bindings. Use `show ip arp inspection statistics vlan <vlan>` to see dropped ARP packets. Use `show ip source guard` to see port ACLs.
In a typical enterprise campus network, these features are deployed on access switches to protect against internal threats. For example, a university might enable DHCP Snooping on all student dormitory VLANs to prevent rogue DHCP servers that could redirect traffic to a malicious gateway. DAI is enabled on the same VLANs to block ARP spoofing attacks where a student tries to impersonate another device to intercept traffic. IP Source Guard is enabled on all wired ports to prevent IP spoofing, ensuring that a student cannot change their IP address to bypass network policies or impersonate a printer. Port Security is used on ports in public areas to limit the number of devices per port, preventing a student from connecting a switch and allowing multiple devices.
A common misconfiguration is forgetting to configure trusted ports. If an uplink to a DHCP server is not trusted, DHCP Snooping will drop the server's OFFER messages, breaking DHCP for all clients. Similarly, if a trunk port to another switch is not trusted for DAI, ARP packets from legitimate devices on the other switch may be dropped. Another real-world scenario: an attacker connects a rogue switch to an access port; port security with a maximum MAC address count can prevent this by shutting down the port when multiple MACs appear.
Performance considerations: rate limiting is crucial. Without it, an attacker could flood ARP packets and overwhelm the switch CPU. Default DAI rate limit of 15 pps is low; in a busy network, you may need to increase it. Similarly, DHCP Snooping rate limit of 100 pps may need adjustment for high-density environments. Misconfiguration often leads to legitimate traffic being dropped, causing user complaints. Always verify with show commands and adjust thresholds based on network traffic patterns.
The CCNA 200-301 exam tests your ability to differentiate these features and understand their dependencies. Objective 5.1 specifically covers security features including these four. The most common exam trap is giving you a scenario and asking which feature prevents a specific attack, with multiple correct-sounding options.
Common wrong answers and why:
1.
Wrong: 'Port Security prevents ARP spoofing.'
Why: Port Security only controls MAC addresses, not ARP messages. DAI is the correct feature for ARP spoofing.
2.
Wrong: 'DHCP Snooping prevents IP spoofing.'
Why: DHCP Snooping only filters DHCP messages; IP Source Guard is for IP spoofing.
3.
Wrong: 'DAI uses the MAC address table.'
Why: DAI uses the DHCP Snooping binding table, not the MAC address table.
4.
Wrong: 'IP Source Guard requires Port Security.'
Why: IPSG can work without Port Security (using only source IP filter), but the port-security option requires Port Security.
Specific values and commands to memorize:
- Default port security maximum: 1
- Default violation mode: shutdown
- Default DAI rate limit: 15 pps
- Default DHCP Snooping rate limit: 100 pps
- Command to enable DAI: ip arp inspection vlan <vlan>
- Command to enable IPSG: ip verify source
- Command to view DHCP Snooping bindings: show ip dhcp snooping binding
Decision rule for scenario questions: - If the attack involves fake ARP messages (gratuitous ARP, ARP reply), the answer is DAI. - If the attack involves a rogue DHCP server, the answer is DHCP Snooping. - If the attack involves IP spoofing (changing source IP), the answer is IP Source Guard. - If the attack involves MAC flooding or unauthorized device, the answer is Port Security. - If the question mentions 'binding table', it's DHCP Snooping, DAI, or IPSG (since Port Security doesn't use a binding table).
Calculation traps: None directly, but be aware that the binding table is populated by DHCP Snooping; static entries can be added with ip source binding.
Port Security controls MAC addresses per port; violation modes: protect, restrict, shutdown (default).
DHCP Snooping filters DHCP messages; builds binding table used by DAI and IPSG.
DAI validates ARP packets using DHCP Snooping binding table; default rate limit 15 pps.
IP Source Guard filters IP packets based on source IP; uses DHCP Snooping binding table.
DHCP Snooping must be enabled before DAI or IPSG can function.
Trusted ports must be configured for DHCP Snooping and DAI to avoid dropping legitimate traffic.
Show commands: show port-security, show ip dhcp snooping binding, show ip arp inspection interfaces, show ip verify source.
These come up on the exam all the time. Here's how to tell them apart.
Port Security
Controls MAC addresses per port
Prevents MAC flooding and unauthorized devices
Uses sticky or static MAC learning
Violation action: protect, restrict, shutdown
Does not use DHCP Snooping binding table
IP Source Guard
Controls source IP addresses per port
Prevents IP spoofing
Uses DHCP Snooping binding table or static bindings
Drops packets with unknown source IP
Requires DHCP Snooping for dynamic entries
Mistake
Port Security can prevent ARP spoofing attacks.
Correct
Port Security only restricts MAC addresses per port. ARP spoofing is prevented by Dynamic ARP Inspection (DAI).
Candidates confuse MAC address control with ARP message validation.
Mistake
DHCP Snooping prevents IP spoofing by blocking packets with fake source IPs.
Correct
DHCP Snooping only filters DHCP messages (discover, offer, request, ack). IP Source Guard prevents IP spoofing by filtering all IP packets based on source IP.
Both features involve IP addresses, but DHCP Snooping only inspects DHCP traffic.
Mistake
DAI uses the MAC address table to validate ARP packets.
Correct
DAI uses the DHCP Snooping binding table (or static ARP ACLs) to validate the sender MAC and IP in ARP packets.
The MAC address table is for Layer 2 forwarding, not security validation.
Mistake
IP Source Guard requires Port Security to be enabled.
Correct
IP Source Guard can operate independently with just source IP filtering. The 'port-security' option adds MAC filtering but is not mandatory.
The command `ip verify source port-security` includes port security, but `ip verify source` alone does not.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, DAI relies on the DHCP Snooping binding table to validate ARP packets. Without DHCP Snooping, you must configure static ARP ACLs, which is impractical in large networks. On the exam, remember that DAI requires DHCP Snooping or ARP ACLs.
Protect drops packets from unknown MACs without notification; Restrict drops and sends an SNMP trap; Shutdown error-disables the port (default). On the exam, know that shutdown is the default and most secure, but requires manual or automatic recovery.
Yes, but only if you configure static IP source bindings using `ip source binding <mac> vlan <vlan> <ip> interface <int>`. Without DHCP Snooping or static bindings, IPSG has no entries to permit traffic and will drop all IP packets.
The default is 15 ARP packets per second. If exceeded, the port is error-disabled. You can change it with `ip arp inspection limit rate <rate>`. Exam tip: remember this number.
DHCP Snooping marks uplink ports as trusted and all access ports as untrusted. Any DHCP server message (OFFER, ACK, etc.) received on an untrusted port is dropped. This prevents an attacker from offering fake IP addresses.
Sticky learning dynamically learns MAC addresses on a port and saves them in the running configuration as static entries. This prevents the switch from relearning MACs after a reboot. Exam tip: sticky is not a separate violation mode.
Yes, they complement each other. DAI validates ARP, IPSG validates IP packets. Both use the DHCP Snooping binding table. They are often enabled together on access ports for comprehensive protection.
You've just covered Exam Trap: Security Feature Confusion — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?