Skip to main content
Open menu
Home
Training
Learn
CCNA Library (74)
Browse all CCNA topics →
Network (13)
Device Operations (5)
Network Access (12)
Wireless (6)
IP Connectivity (10)
IP Services (11)
Security (10)
Automation (7)
CCNP Library (15)
Practice
Mock ExamPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All posts
ccnaport-securitydhcp-snoopingdailayer-2-security

Layer 2 hardening — Port Security, DHCP Snooping, and DAI in one lab

The three access-layer defenses that stop 90% of L2 attacks: MAC flooding, rogue DHCP servers, and ARP spoofing. How they interact, the trust-port model, sticky-MAC pros and cons, and the diagnostic commands when something goes err-disabled.

The access layer is where users plug in. It’s also where the meanest attacks come from — someone hooks up a laptop and starts flooding the switch, spoofing the DHCP server, or poisoning ARP tables. Layer 2 has no authentication in the ordinary sense: whoever plugs in the cable is on the network.

Three built-in switch features stop the majority of L2 attacks with minimal effort:

  1. Port Security — limit the MACs allowed to send on an access port.
  2. DHCP Snooping — designate which switch ports are allowed to be DHCP servers.
  3. Dynamic ARP Inspection (DAI) — validate ARP replies against the DHCP snooping binding table.

They’re related: DAI depends on the DHCP snooping binding table. All three are worth configuring on any access switch that serves untrusted hosts (i.e., ~all of them).

Here’s how they work together, and how to configure them without accidentally locking out legitimate users.

Port Security — first line

Port Security tells the switch: “on this access port, only allow traffic from up to N distinct source MACs. Violation → err-disable the port.”

Default config after enabling:

  • Max MACs = 1
  • Violation = shutdown (err-disable)
  • MAC learning = dynamic (secured in RAM only, forgotten on reboot)

Basic config:

Switch(config)# interface g0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky

Line by line:

  • switchport mode access — must be access, not trunk or dynamic. Port Security refuses to activate on a dynamic-mode port.
  • switchport port-security — activate the feature.
  • maximum 2 — allow up to 2 MACs. Common when a laptop is behind a phone (phone MAC + laptop MAC).
  • violation restrict — drop the offending traffic and log, but keep the port up. Alternatives: shutdown (err-disable, requires manual bounce) and protect (silently drop, no log).
  • mac-address sticky — dynamically learn MACs, save them to running-config. When the running-config is copied to startup-config, they persist through reboot.

Sticky MAC — the trade-off

Sticky MAC is popular because it’s low-effort: you don’t have to enter each user’s MAC. The switch learns and remembers.

Downside: if a user replaces their laptop, the new MAC is a violation. Someone has to clear port-security sticky interface g0/1 or no switchport port-security mac-address <old-mac> to accept the new one.

For high-security environments, prefer statically configured MACs. For general use, sticky is fine — with a policy to bounce ports on user hardware changes.

Violation modes

ModeBehavior
shutdownPort goes err-disabled. Manual recovery. Default.
restrictDrop violating traffic, increment counter, log via SNMP/syslog. Port stays up.
protectSilently drop violating traffic. No log. No counter.

Choose restrict for most access ports — you get logging without disrupting the user’s day. shutdown for high-security. protect is rarely useful because you lose visibility.

Show commands for Port Security

Switch# show port-security
Switch# show port-security interface g0/1
Switch# show port-security address

show port-security interface g0/1 is the money command:

Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Maximum MAC Addresses      : 2
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 2
Last Source Address:Vlan   : aabb.cc00.0001:10
Security Violation Count   : 3

Read this on a real port and every port-security concept snaps into place.

Err-disable recovery

When violation shutdown fires and the port goes err-disabled, you have to manually recover:

Switch(config)# interface g0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

Or configure auto-recovery:

Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 300

Now the port comes back automatically 5 minutes after being err-disabled. Useful in low-security environments; skip in high-security.

DHCP Snooping — stop rogue DHCP servers

By default, any device connected to a switch can advertise as a DHCP server. If someone plugs in a Linux laptop with dhcpd running, clients on the same VLAN might grab an IP from that server — with a bogus gateway that captures all their traffic.

DHCP Snooping tells the switch: “only the port toward the real DHCP server is trusted to send DHCP-server-side messages. Every other port is untrusted.”

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10

Switch(config)# interface g0/24
Switch(config-if)# description Uplink to DHCP server
Switch(config-if)# ip dhcp snooping trust

Switch(config)# interface range g0/1 - 23
Switch(config-if-range)# ip dhcp snooping limit rate 10

Line by line:

  • Global ip dhcp snooping — enable the feature.
  • Per-VLAN activation — DHCP snooping runs on VLAN 10.
  • Trust the uplink (toward the real DHCP server) — DHCP server messages are allowed on g0/24.
  • All other ports (g0/1 through g0/23) are untrusted by default. Any DHCP OFFER/ACK arriving on those ports is dropped.
  • Rate-limit — prevent DHCP flooding attacks.

The binding table — the linchpin of L2 security

As legit clients get IPs from the trusted DHCP server, DHCP snooping records each lease in its binding table:

Switch# show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  -----------
AA:BB:CC:00:00:01   10.0.10.15       86400       dhcp-snooping  10    Gi0/1

This table maps: user’s MAC → user’s IP → the VLAN → the port they’re on. That’s the trusted mapping DAI uses next.

Dynamic ARP Inspection (DAI) — stop ARP spoofing

ARP spoofing: attacker sends unsolicited ARP replies claiming their MAC owns the gateway’s IP. Every host on the LAN updates its ARP cache. Attacker becomes the man-in-the-middle.

DAI validates every ARP reply against the DHCP snooping binding table. If the ARP reply claims 10.0.10.1 is at MAC aabb.ccdd.eeff, DAI looks up 10.0.10.1 in the binding — if the mapping doesn’t match, the ARP reply is dropped.

Switch(config)# ip arp inspection vlan 10

Switch(config)# interface g0/24
Switch(config-if)# ip arp inspection trust

Switch(config)# interface range g0/1 - 23
Switch(config-if-range)# ip arp inspection limit rate 15

Trust the uplink (real ARP traffic from the router goes through). Rate-limit user ports to prevent flood attacks.

The trust model — three levels

Ports are typed based on trust:

  • Access ports (untrusted for DHCP + DAI): where end users plug in. Untrusted for DHCP server messages, DAI validates their ARPs.
  • Uplinks to trusted infrastructure (DHCP server, gateway router): ip dhcp snooping trust + ip arp inspection trust. Trusted for DHCP server messages, ARPs pass without validation.
  • Server ports (static IPs, no DHCP lease): need special handling. Add a static binding: ip source binding aabb.cc00.0001 vlan 10 10.0.10.99 interface g0/5.

Get the trust model wrong and either the network’s not protected or you break legitimate traffic.

Diagnostic commands

Switch# show ip dhcp snooping
Switch# show ip dhcp snooping binding
Switch# show ip arp inspection
Switch# show ip arp inspection statistics
Switch# show port-security
Switch# show interfaces status err-disabled

show ip dhcp snooping gives you the enable state + trust configuration. show ip arp inspection statistics shows how many ARPs were dropped by DAI — a spike here usually means someone’s actively spoofing.

The lab you should build

One switch, one router (DHCP server), one PC, one attacker PC. On the switch:

  1. Enable port security on the PC port (max 2, restrict, sticky).
  2. Enable DHCP snooping on VLAN 10, trust the uplink to the router.
  3. Enable DAI on VLAN 10, trust the uplink.

Test:

  • Real PC boots, gets DHCP IP, ARPs normally. All works.
  • Attacker PC boots, tries to advertise DHCP OFFER — dropped, log fires.
  • Attacker PC sends spoofed ARP claiming to be the gateway — DAI drops, log fires.
  • Real PC violates port security by transmitting 3 different MACs — port goes into restrict, log fires.

That drill covers the three most common L2 attacks and their exact defenses. Anyone certified to CCNA level should be able to configure this cold.

Common mistakes

  1. Enabling DAI before DHCP snooping. The binding table is empty. Every ARP fails validation. Nothing works. Always DHCP snooping first, let clients get IPs to populate the table, then DAI.

  2. Forgetting to trust the uplink for both DHCP snooping and DAI. Without trust, the real DHCP server’s OFFER gets dropped by the switch. Users can’t get IPs. Panic ensues.

  3. Port security on a trunk port. Doesn’t work as expected. Port Security is for access ports.

  4. Sticky-MAC never saved. Sticky MACs go to running-config; if you don’t write memory, a reboot wipes them.

  5. Static-IP servers without a binding. DAI sees their ARP replies, doesn’t find them in the binding table, drops. Users complain the server is unreachable. Fix: add a static binding.

  6. DHCP relay on the same VLAN. If your gateway router runs ip helper-address, DHCP OFFER packets come back through the router — the port they arrive on is the uplink. Make sure that’s trusted.

Cheat strip

ConceptOne-line meaning
Port SecurityLimit MACs per access port
max default1 MAC
violation defaultshutdown (err-disable)
sticky MACLearn dynamically, save to running-config
DHCP snoopingOnly trusted ports may send DHCP server messages
Binding tableMAC ↔ IP ↔ port map — the linchpin
DAIValidate ARP replies against binding table
Trust portUplink toward real DHCP/gateway — everything allowed
Static bindingManual entry for servers without DHCP leases
err-disable recoveryAuto-bring-back timer for err-disabled ports

The bigger point

These three features together are the default access-layer posture in any decent enterprise network. They stop the low-effort attacks — MAC flooding, rogue DHCP, ARP spoofing — that account for the majority of L2 incidents.

They’re on the CCNA blueprint because they’re on the daily-work blueprint. Configure them in the lab, break them, fix them, move on. When you can rattle off the three commands from memory, you’ve earned that portion of the exam.

Everything else in Layer 2 security — 802.1X, MAB, DHCPv6 guard, IPv6 RA guard, Storm Control, Root Guard — extends this foundation. Get the base right and the rest is incremental.

Get posts like this by email.

One short, opinionated tutorial per week. Unsubscribe in one click.

Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.