Layer 2 Security Explained — DHCP Snooping, Dynamic ARP Inspection & IP Source Guard (CCNA/CCNP)
Free tutorial on Cisco access-layer security for US networking learners. How DHCP snooping, Dynamic ARP Inspection (DAI), IP Source Guard, port security and 802.1x stack together to lock down the switch port — with the config and show commands.
Every routing protocol, every ACL, every firewall rule assumes one thing: that the device plugged into the switch port is who it claims to be. The access layer — the edge port under someone’s desk — is where that assumption gets attacked. Layer 2 has almost no built-in trust, so Cisco bolts on a stack of features to add it.
The trick is that these features are not independent. DHCP snooping is the foundation the other two stand on. Learn them in the right order and the whole stack clicks; learn them at random and they feel like five disconnected commands. This is the order.
The one-line idea
Layer 2 was designed to be plug-and-play, which means it trusts everything. Access-layer security is a set of features that replace “trust everything” with “trust only what we can prove.”
A switch frame carries a source MAC and (inside it) a source IP, but nothing forces those to be real. An attacker on an access port can:
- claim to be the default gateway (ARP spoofing → man-in-the-middle),
- hand out rogue DHCP leases,
- spoof a source IP to impersonate another host,
- flood the MAC table to turn the switch into a hub.
Each feature below shuts one of those doors.
The stack, bottom to top
| Feature | Attack it stops | What it inspects | Layer |
|---|---|---|---|
| Port security | MAC flooding / unknown devices | Source MAC count per port | CCNA |
| DHCP snooping | Rogue DHCP servers | DHCP messages on untrusted ports | CCNA |
| Dynamic ARP Inspection | ARP spoofing / MITM | ARP replies vs the snooping table | CCNA |
| IP Source Guard | IP / MAC spoofing | Source IP+MAC vs the snooping table | CCNA/CCNP |
| 802.1X | Unauthorized users | Identity, before the port opens | CCNA/CCNP |
Notice the middle three share one engine: the DHCP snooping binding table. Build that table once and DAI and IP Source Guard get their truth for free.
1. DHCP snooping — the foundation
DHCP snooping splits every switch port into trusted or untrusted. Only trusted ports (the ones facing your real DHCP server / uplinks) may send DHCP server messages (OFFER, ACK). An untrusted access port that tries to answer DHCP gets its frames dropped — that kills the rogue-DHCP attack.
The side effect is the valuable part. As legitimate clients lease addresses, the switch records each one in the binding table:
MAC Address IP Address Lease(sec) Type VLAN Interface
00:11:22:33:44:55 10.0.0.20 86400 dhcp-snooping 10 Gi0/3
That single line — “MAC …44:55 legitimately owns IP 10.0.0.20 on port Gi0/3” — is the source of truth DAI and IP Source Guard both consult.
SW(config)# ip dhcp snooping
SW(config)# ip dhcp snooping vlan 10
SW(config)# interface Gi0/1 ! uplink toward the real DHCP server
SW(config-if)# ip dhcp snooping trust
! all other access ports stay untrusted by default
SW(config-if)# ip dhcp snooping limit rate 10 ! optional: cap DHCP pkts/sec
Verify:
SW# show ip dhcp snooping
SW# show ip dhcp snooping binding ! the table everything else depends on
The #1 mistake: forgetting to trust the uplink. If the port toward your real DHCP server is left untrusted, the switch drops the server’s OFFER and legitimate clients stop getting addresses. (See the full walkthrough in DHCP snooping, and how the lease process works in DHCP.)
2. Dynamic ARP Inspection (DAI) — stop the man in the middle
ARP has no authentication. Any host can broadcast “I am 10.0.0.1” (the gateway), poison everyone’s ARP cache, and quietly relay traffic — a classic man-in-the-middle. DAI intercepts ARP replies on untrusted ports and checks each one against the snooping binding table. If the MAC↔IP pair doesn’t match a real lease, the ARP is dropped.
SW(config)# ip arp inspection vlan 10
SW(config)# interface Gi0/1
SW(config-if)# ip arp inspection trust ! uplinks/trunks: trusted
Trusted ports skip inspection (your uplinks and inter-switch links). Untrusted access ports get every ARP reply validated.
SW# show ip arp inspection
SW# show ip arp inspection statistics ! watch the Dropped counter
Two CCNA gotchas:
- Trust your DAI ports the same way you trust your snooping ports. A trunk that’s snooping-trusted but DAI-untrusted will start dropping legitimate ARPs.
- Static-IP hosts have no DHCP lease, so they’re not in the binding table and DAI will drop their ARP. Cover them with an ARP ACL (
ip arp inspection filter).
Full detail and a fix-it lab: Dynamic ARP Inspection. The underlying protocol it abuses is in ARP.
3. IP Source Guard (IPSG) — stop IP spoofing
DAI validates ARP; IP Source Guard validates the data frames themselves. Once enabled on a port, IPSG installs a per-port filter that only permits traffic whose source IP (and optionally source MAC) matches the snooping binding for that port. Spoof a different source IP and the frame is dropped at ingress.
SW(config)# interface Gi0/3
SW(config-if)# ip verify source ! filter by source IP
SW(config-if)# ip verify source port-security ! also filter by source MAC
Verify:
SW# show ip verify source
SW# show ip source binding
This is what the query “what does IP source guard protect against?” is really asking: source-IP spoofing on the access port. It needs port security enabled too if you want the MAC-level check.
Walkthrough: IP Source Guard.
4. Port security — the MAC gatekeeper
Port security is the oldest and simplest: limit how many (and optionally which) source MACs a port will accept, and decide what happens on a violation.
SW(config-if)# switchport port-security
SW(config-if)# switchport port-security maximum 2
SW(config-if)# switchport port-security mac-address sticky
SW(config-if)# switchport port-security violation restrict ! shutdown | restrict | protect
SW# show port-security interface Gi0/3
Know the three violation modes cold — that’s a guaranteed exam point:
| Mode | Drops traffic? | Logs/counter? | Port state |
|---|---|---|---|
protect | yes | no | stays up |
restrict | yes | yes | stays up |
shutdown (default) | yes | yes | err-disabled |
It also feeds the source-MAC check in IP Source Guard, which is why it belongs in the stack. How the switch learns MACs in the first place: MAC address table.
5. 802.1X — authenticate the user, not just the address
Everything above trusts the address. 802.1X / dot1x trusts the identity: the port stays closed until the device proves who it is to a RADIUS server. It’s the access-layer front door, and it’s where AAA and Cisco ISE come in.
SW(config)# aaa new-model
SW(config)# dot1x system-auth-control
SW(config-if)# authentication port-control auto
SW(config-if)# dot1x pae authenticator
The query “authentication port-control auto” is exactly this line — auto means “run 802.1X and open the port only on success” (vs force-authorized = always open, force-unauthorized = always shut).
How they fit together (the mental model)
┌─────────────── 802.1X ───────────────┐ "Are you allowed on at all?"
│ ┌─────────── Port security ──────┐ │ "How many / which MACs?"
│ │ ┌─────── IP Source Guard ──┐ │ │ "Is your source IP real?"
│ │ │ ┌─── DAI ────────────┐ │ │ │ "Is your ARP honest?"
│ │ │ │ DHCP snooping │ │ │ │ "(builds the truth table)"
Access port ───────────────────────────────────► switch fabric
DHCP snooping builds the binding table; DAI and IP Source Guard read it; port security counts MACs; 802.1X decides whether the conversation happens at all. Configure them bottom-up — snooping first, always.
Common mistakes (memorize these)
- DAI or IPSG without DHCP snooping. No binding table → everything is “untrusted” → legitimate traffic is dropped. Snooping is a prerequisite, not an option.
- Forgetting to trust the uplink (for both snooping and DAI). The most common reason “the whole VLAN broke.”
- Static-IP hosts under DAI/IPSG. No lease = not in the table = dropped. Use ARP ACLs / static IP source bindings.
- Assuming
restrictshuts the port. Onlyshutdownerr-disables it. Mixing these up loses easy marks. - Securing the access layer but leaving trunks open. Most of these attacks launch from an access port — that’s where the controls belong.
Try it yourself
These are exactly the topics where reading isn’t enough — you have to watch a frame get dropped to believe it. Each library topic has a hands-on lab:
- DHCP snooping — build the binding table, then watch a rogue DHCP server get silenced.
- Dynamic ARP Inspection — poison an ARP cache, enable DAI, watch the attack die.
- IP Source Guard — spoof a source IP and see it dropped at the port.
Do snooping first — the other two won’t make sense (or work) without it.
What’s next
- Port security and MAC address table — the Layer-2 fundamentals underneath all of this.
- 802.1X / dot1x, AAA, Cisco ISE — identity-based access control, the CCNP direction.
- Spanning Tree + BPDU Guard / Root Guard — the other half of access-layer hardening.
The whole stack is one idea repeated five ways: don’t trust the port — prove it. Get the order right (snooping → DAI → IPSG → port security → 802.1X) and access-layer security stops being a pile of commands and becomes a single layered defense. We drill exactly this kind of “why, in what order, and what breaks if you skip a step” on real gear in the 1:1 CCNA/CCNP program. First session is free.
Get posts like this by email.
One short, opinionated tutorial per week. Unsubscribe in one click.
We respect your inbox. One email per week, max. Unsubscribe any time.