CCNA Lab 12: DHCP Snooping, DAI, and IP Source Guard
DHCP Snooping, Dynamic ARP Inspection (DAI), and IP Source Guard (IPSG) are complementary Layer 2 security features that protect against spoofing and man-in-the-middle attacks. They build on each other — DHCP Snooping is the foundation.
DHCP Snooping builds a binding database of (MAC, IP, VLAN, Port)
├─ DAI uses the database to validate ARP packets
└─ IPSG uses the database to filter IP traffic on access ports
Enable them in this order: DHCP Snooping → DAI → IPSG.
DHCP Snooping filters DHCP messages by treating some ports as trusted (where legitimate DHCP servers connect) and others as untrusted (where clients connect).
! Enable DHCP snooping globally
ip dhcp snooping
! Enable for specific VLANs
ip dhcp snooping vlan 10,20,30
! Trust the port where the DHCP server is connected
interface Gi0/24
ip dhcp snooping trust
! All other ports are untrusted by default
! Optionally set rate limit on untrusted ports
interface range Gi0/1-22
ip dhcp snooping limit rate 10! Verify bindings
show ip dhcp snooping binding
MacAddress IpAddress Lease Type VLAN Interface
---------------- ------------ ------ --------- ---- ------------
0050.7966.6801 192.168.10.10 86400 dhcp-snoop 10 GigabitEthernet0/1
0050.7966.6802 192.168.10.11 86400 dhcp-snoop 10 GigabitEthernet0/2
0050.7966.6803 192.168.20.10 86400 dhcp-snoop 20 GigabitEthernet0/3Each entry maps a MAC address to an IP, VLAN, and port. When a host moves to a different port, the old entry is cleared.
show ip dhcp snooping statistics
show ip dhcp snooping| Attack | How DHCP Snooping Stops It |
|---|---|
| Rogue DHCP server on access port | Untrusted port drops all DHCP server messages (OFFER, ACK) |
| DHCP starvation flood | Rate limiting drops excessive DHCP requests |
| DHCP release DoS | Drops DHCPRELEASE from untrusted ports not matching the binding |
DAI intercepts ARP packets on untrusted ports and validates them against the DHCP Snooping binding database. Invalid ARP packets are dropped.
! Enable DAI for specific VLANs
ip arp inspection vlan 10,20,30
! Trust the port connecting to the router/switch (upstream)
interface Gi0/24
ip arp inspection trust
! All other ports are untrusted by default
! Validate MAC address consistency
ip arp inspection validate src-mac dst-mac ipip arp inspection validate src-mac ! Check source MAC matches ARP body
ip arp inspection validate dst-mac ! Check destination MAC matches ARP body
ip arp inspection validate ip ! Check IP addresses are validEnable all three for maximum protection:
ip arp inspection validate src-mac dst-mac ipshow ip arp inspection
show ip arp inspection interfaces
show ip arp inspection statistics
show ip arp inspection vlan 10show ip arp inspection statistics vlan 10
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
10 15234 23 23 0
ACL Stats for VLAN 10:
Interface ACL Forwarded Dropped
--------- --- --------- -------
Gi0/1 - 4500 0
Gi0/2 - 3200 0
Any dropped ARP packets should be investigated.
| Attack | How DAI Stops It |
|---|---|
| ARP spoofing (man-in-the-middle) | ARP replies not matching DHCP binding are dropped |
| Gateway impersonation | Fake ARP for default gateway IP is dropped on untrusted ports |
| ARP cache poisoning | Invalid MAC-IP bindings never reach clients |
IPSG filters IP traffic on a per-port basis, allowing only traffic from the IP/MAC learned by DHCP Snooping.
! Enable IPSG on access ports
interface range Gi0/1-22
ip verify source
ip verify source port-securityThe ip verify source command filters based on source IP matching the DHCP snooping binding. Adding port-security also validates the source MAC.
For devices with static IPs, create manual bindings:
ip source binding 0050.7966.6899 vlan 10 192.168.10.99 interface Gi0/5Or use an ACL on the port:
interface Gi0/5
ip verify source
ip source binding 0050.7966.6899 vlan 10 192.168.10.99show ip verify source
show ip source binding
show ip verify source interface Gi0/1Output:
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Gi0/1 ip-mac active 192.168.10.10 0050.7966.6801 10
Gi0/2 ip-mac active 192.168.10.11 0050.7966.6802 10
Gi0/3 ip-mac active 192.168.20.10 0050.7966.6803 20
| Attack | How IPSG Stops It |
|---|---|
| IP spoofing | Drops packets with source IP not matching binding |
| MAC spoofing | Drops packets with source MAC not matching binding |
| Host impersonation | Device can not use another device’s IP/MAC |
| Unauthorized device | Device without a DHCP lease can not send traffic |
Follow this sequence to avoid disruption:
! Step 1: Enable DHCP Snooping
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
interface Gi0/24
ip dhcp snooping trust
no interface Gi0/24
interface Gi0/24
ip dhcp snooping trust
! Step 2: Verify DHCP bindings are populated
show ip dhcp snooping binding
! Step 3: Enable DAI
ip arp inspection vlan 10,20,30
interface Gi0/24
ip arp inspection trust
ip arp inspection validate src-mac dst-mac ip
! Step 4: Enable IPSG
interface range Gi0/1-22
ip verify sourceDeploy on one VLAN at a time and verify that legitimate traffic is not dropped.
show ip dhcp snooping statistics
# DHCP packets dropped: 523
show ip dhcp snooping | include Gi0/2
# Gi0/2 is untrustedThe port connecting to the DHCP server (or the upstream switch that relays DHCP) must be trusted. If the DHCP server is on a different switch, trust the uplink port.
show ip arp inspection statistics vlan 10 | include Dropped
# Dropped: 45
show ip arp inspection vlan 10
# ACL drops: 0, DHCP drops: 45The DHCP binding is missing for those devices. Check if they use static IPs — add manual bindings.
show ip verify source interface Gi0/5
# Interface Filter-type Filter-mode IP-address Mac-address Vlan
# Gi0/5 ip-mac active none none 10No binding exists for that port. The device may have a static IP or the DHCP lease expired.
The binding database is stored in memory by default. On reload, it is lost and must be rebuilt as devices renew DHCP leases.
! Persistent storage for DHCP bindings (requires USB flash)
ip dhcp snooping database flash:/dhcp-snooping-db
write memoryRecovery on reload is automatic from the flash file.
| Port Type | DHCP Rate | ARP Rate |
|---|---|---|
| Access (user) | 10 pps | 15 pps |
| Access (VoIP) | 20 pps | 30 pps |
| Trunk (to switch) | unlimited (trusted) | unlimited (trusted) |
| Trunk (to router) | unlimited (trusted) | unlimited (trusted) |
interface Gi0/1
ip dhcp snooping limit rate 10
ip arp inspection limit rate 15src-mac dst-mac ip| Command | Purpose |
|---|---|
ip dhcp snooping | Enable DHCP snooping globally |
ip dhcp snooping vlan 10 | Enable for specific VLANs |
ip dhcp snooping trust | Mark port as trusted for DHCP |
ip dhcp snooping limit rate 10 | Rate limit DHCP on untrusted ports |
ip arp inspection vlan 10 | Enable DAI on VLAN |
ip arp inspection trust | Mark port as trusted for ARP |
ip arp inspection validate src-mac dst-mac ip | Validate MAC/IP consistency |
ip verify source | Enable IPSG on interface |
ip verify source port-security | Enable IPSG with MAC validation |
show ip dhcp snooping binding | View DHCP binding table |
show ip dhcp snooping statistics | DHCP snooping drop counters |
show ip arp inspection statistics | DAI drop counters |
show ip verify source | IPSG bindings per interface |
ip source binding | Manual binding for static IP hosts |
Related Articles
CCNA Lab 12: DHCP Snooping, DAI, and IP Source Guard
Configure Layer 2 security features to prevent DHCP spoofing, ARP poisoning, and IP spoofing attacks on your access switches.
CCNA Lab 14: Network Health Checks, BKMs, and Command Reference
Daily, weekly, and monthly health checks for your switches. Best known methods, maintenance procedures, and a comprehensive command reference for L2 engineers.
CCNA Lab 11: EtherChannel and Link Aggregation
Configure and troubleshoot EtherChannel on Cisco switches — LACP, PAgP, load balancing, and common failure modes.