Layer 2 hardening — Port Security, DHCP Snooping, and DAI in one lab
The three access-layer defenses that stop 90% of L2 attacks: MAC flooding, rogue DHCP servers, and ARP spoofing. How they interact, the trust-port model, sticky-MAC pros and cons, and the diagnostic commands when something goes err-disabled.
The access layer is where users plug in. It’s also where the meanest attacks come from — someone hooks up a laptop and starts flooding the switch, spoofing the DHCP server, or poisoning ARP tables. Layer 2 has no authentication in the ordinary sense: whoever plugs in the cable is on the network.
Three built-in switch features stop the majority of L2 attacks with minimal effort:
- Port Security — limit the MACs allowed to send on an access port.
- DHCP Snooping — designate which switch ports are allowed to be DHCP servers.
- Dynamic ARP Inspection (DAI) — validate ARP replies against the DHCP snooping binding table.
They’re related: DAI depends on the DHCP snooping binding table. All three are worth configuring on any access switch that serves untrusted hosts (i.e., ~all of them).
Here’s how they work together, and how to configure them without accidentally locking out legitimate users.
Port Security — first line
Port Security tells the switch: “on this access port, only allow traffic from up to N distinct source MACs. Violation → err-disable the port.”
Default config after enabling:
- Max MACs = 1
- Violation = shutdown (err-disable)
- MAC learning = dynamic (secured in RAM only, forgotten on reboot)
Basic config:
Switch(config)# interface g0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky
Line by line:
switchport mode access— must be access, not trunk or dynamic. Port Security refuses to activate on a dynamic-mode port.switchport port-security— activate the feature.maximum 2— allow up to 2 MACs. Common when a laptop is behind a phone (phone MAC + laptop MAC).violation restrict— drop the offending traffic and log, but keep the port up. Alternatives:shutdown(err-disable, requires manual bounce) andprotect(silently drop, no log).mac-address sticky— dynamically learn MACs, save them to running-config. When the running-config is copied to startup-config, they persist through reboot.
Sticky MAC — the trade-off
Sticky MAC is popular because it’s low-effort: you don’t have to enter each user’s MAC. The switch learns and remembers.
Downside: if a user replaces their laptop, the new MAC is a violation. Someone has to clear port-security sticky interface g0/1 or no switchport port-security mac-address <old-mac> to accept the new one.
For high-security environments, prefer statically configured MACs. For general use, sticky is fine — with a policy to bounce ports on user hardware changes.
Violation modes
| Mode | Behavior |
|---|---|
shutdown | Port goes err-disabled. Manual recovery. Default. |
restrict | Drop violating traffic, increment counter, log via SNMP/syslog. Port stays up. |
protect | Silently drop violating traffic. No log. No counter. |
Choose restrict for most access ports — you get logging without disrupting the user’s day. shutdown for high-security. protect is rarely useful because you lose visibility.
Show commands for Port Security
Switch# show port-security
Switch# show port-security interface g0/1
Switch# show port-security address
show port-security interface g0/1 is the money command:
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address:Vlan : aabb.cc00.0001:10
Security Violation Count : 3
Read this on a real port and every port-security concept snaps into place.
Err-disable recovery
When violation shutdown fires and the port goes err-disabled, you have to manually recover:
Switch(config)# interface g0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
Or configure auto-recovery:
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 300
Now the port comes back automatically 5 minutes after being err-disabled. Useful in low-security environments; skip in high-security.
DHCP Snooping — stop rogue DHCP servers
By default, any device connected to a switch can advertise as a DHCP server. If someone plugs in a Linux laptop with dhcpd running, clients on the same VLAN might grab an IP from that server — with a bogus gateway that captures all their traffic.
DHCP Snooping tells the switch: “only the port toward the real DHCP server is trusted to send DHCP-server-side messages. Every other port is untrusted.”
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Switch(config)# interface g0/24
Switch(config-if)# description Uplink to DHCP server
Switch(config-if)# ip dhcp snooping trust
Switch(config)# interface range g0/1 - 23
Switch(config-if-range)# ip dhcp snooping limit rate 10
Line by line:
- Global
ip dhcp snooping— enable the feature. - Per-VLAN activation — DHCP snooping runs on VLAN 10.
- Trust the uplink (toward the real DHCP server) — DHCP server messages are allowed on
g0/24. - All other ports (
g0/1throughg0/23) are untrusted by default. Any DHCP OFFER/ACK arriving on those ports is dropped. - Rate-limit — prevent DHCP flooding attacks.
The binding table — the linchpin of L2 security
As legit clients get IPs from the trusted DHCP server, DHCP snooping records each lease in its binding table:
Switch# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- -----------
AA:BB:CC:00:00:01 10.0.10.15 86400 dhcp-snooping 10 Gi0/1
This table maps: user’s MAC → user’s IP → the VLAN → the port they’re on. That’s the trusted mapping DAI uses next.
Dynamic ARP Inspection (DAI) — stop ARP spoofing
ARP spoofing: attacker sends unsolicited ARP replies claiming their MAC owns the gateway’s IP. Every host on the LAN updates its ARP cache. Attacker becomes the man-in-the-middle.
DAI validates every ARP reply against the DHCP snooping binding table. If the ARP reply claims 10.0.10.1 is at MAC aabb.ccdd.eeff, DAI looks up 10.0.10.1 in the binding — if the mapping doesn’t match, the ARP reply is dropped.
Switch(config)# ip arp inspection vlan 10
Switch(config)# interface g0/24
Switch(config-if)# ip arp inspection trust
Switch(config)# interface range g0/1 - 23
Switch(config-if-range)# ip arp inspection limit rate 15
Trust the uplink (real ARP traffic from the router goes through). Rate-limit user ports to prevent flood attacks.
The trust model — three levels
Ports are typed based on trust:
- Access ports (untrusted for DHCP + DAI): where end users plug in. Untrusted for DHCP server messages, DAI validates their ARPs.
- Uplinks to trusted infrastructure (DHCP server, gateway router):
ip dhcp snooping trust+ip arp inspection trust. Trusted for DHCP server messages, ARPs pass without validation. - Server ports (static IPs, no DHCP lease): need special handling. Add a static binding:
ip source binding aabb.cc00.0001 vlan 10 10.0.10.99 interface g0/5.
Get the trust model wrong and either the network’s not protected or you break legitimate traffic.
Diagnostic commands
Switch# show ip dhcp snooping
Switch# show ip dhcp snooping binding
Switch# show ip arp inspection
Switch# show ip arp inspection statistics
Switch# show port-security
Switch# show interfaces status err-disabled
show ip dhcp snooping gives you the enable state + trust configuration. show ip arp inspection statistics shows how many ARPs were dropped by DAI — a spike here usually means someone’s actively spoofing.
The lab you should build
One switch, one router (DHCP server), one PC, one attacker PC. On the switch:
- Enable port security on the PC port (max 2, restrict, sticky).
- Enable DHCP snooping on VLAN 10, trust the uplink to the router.
- Enable DAI on VLAN 10, trust the uplink.
Test:
- Real PC boots, gets DHCP IP, ARPs normally. All works.
- Attacker PC boots, tries to advertise DHCP OFFER — dropped, log fires.
- Attacker PC sends spoofed ARP claiming to be the gateway — DAI drops, log fires.
- Real PC violates port security by transmitting 3 different MACs — port goes into restrict, log fires.
That drill covers the three most common L2 attacks and their exact defenses. Anyone certified to CCNA level should be able to configure this cold.
Common mistakes
-
Enabling DAI before DHCP snooping. The binding table is empty. Every ARP fails validation. Nothing works. Always DHCP snooping first, let clients get IPs to populate the table, then DAI.
-
Forgetting to trust the uplink for both DHCP snooping and DAI. Without trust, the real DHCP server’s OFFER gets dropped by the switch. Users can’t get IPs. Panic ensues.
-
Port security on a trunk port. Doesn’t work as expected. Port Security is for access ports.
-
Sticky-MAC never saved. Sticky MACs go to running-config; if you don’t
write memory, a reboot wipes them. -
Static-IP servers without a binding. DAI sees their ARP replies, doesn’t find them in the binding table, drops. Users complain the server is unreachable. Fix: add a static binding.
-
DHCP relay on the same VLAN. If your gateway router runs
ip helper-address, DHCP OFFER packets come back through the router — the port they arrive on is the uplink. Make sure that’s trusted.
Cheat strip
| Concept | One-line meaning |
|---|---|
| Port Security | Limit MACs per access port |
| max default | 1 MAC |
| violation default | shutdown (err-disable) |
| sticky MAC | Learn dynamically, save to running-config |
| DHCP snooping | Only trusted ports may send DHCP server messages |
| Binding table | MAC ↔ IP ↔ port map — the linchpin |
| DAI | Validate ARP replies against binding table |
| Trust port | Uplink toward real DHCP/gateway — everything allowed |
| Static binding | Manual entry for servers without DHCP leases |
| err-disable recovery | Auto-bring-back timer for err-disabled ports |
The bigger point
These three features together are the default access-layer posture in any decent enterprise network. They stop the low-effort attacks — MAC flooding, rogue DHCP, ARP spoofing — that account for the majority of L2 incidents.
They’re on the CCNA blueprint because they’re on the daily-work blueprint. Configure them in the lab, break them, fix them, move on. When you can rattle off the three commands from memory, you’ve earned that portion of the exam.
Everything else in Layer 2 security — 802.1X, MAB, DHCPv6 guard, IPv6 RA guard, Storm Control, Root Guard — extends this foundation. Get the base right and the rest is incremental.
Get posts like this by email.
One short, opinionated tutorial per week. Unsubscribe in one click.
Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.