📘 CCNA 200-301 v1.1
5.7 Configure and verify Layer 2 security features (DHCP snooping, dynamic ARP inspection and port security)
Overview of Layer 2 Security
Layer 2 security focuses on protecting the switching layer (Data Link Layer) of a network.
Switches connect devices within a LAN (like PCs, printers, servers). Because switches forward frames based on MAC addresses, they can be targets for attacks such as:
- MAC address spoofing
- DHCP starvation
- ARP spoofing or poisoning
To prevent these, Cisco switches provide Layer 2 security features:
- DHCP Snooping
- Dynamic ARP Inspection (DAI)
- Port Security
These protect against common attacks that exploit switch behavior.
🔸 1. DHCP Snooping
💡 What it is:
DHCP Snooping is a security feature that protects the network from rogue (unauthorized) DHCP servers and DHCP attacks.
DHCP Snooping ensures that only trusted DHCP servers can send DHCP responses (like IP address offers) to clients.
🧩 Why it’s needed:
In a network, clients get IP addresses from a DHCP server.
If an attacker connects a fake DHCP server, it can:
- Give wrong IP addresses or gateways to clients.
- Intercept or redirect traffic.
This can cause man-in-the-middle attacks or network outages.
⚙️ How it works:
When DHCP Snooping is enabled:
- The switch monitors DHCP messages passing through it.
- It builds a DHCP Snooping Binding Table — this table records:
- MAC address
- IP address
- VLAN
- Interface
- Lease time
This table is later used by other features (like Dynamic ARP Inspection).
🔐 Trusted vs. Untrusted Ports
- Trusted port:
A port connected to a legitimate DHCP server (like the uplink to a DHCP server or router).
→ DHCP messages are allowed. - Untrusted port:
Ports connected to clients or end devices.
→ DHCP responses (like OFFER, ACK) from untrusted ports are blocked.
⚙️ Key Commands (Cisco IOS)
Enable DHCP Snooping:
Switch(config)# ip dhcp snooping
Enable it for a specific VLAN:
Switch(config)# ip dhcp snooping vlan 10
Mark a port as trusted:
Switch(config-if)# ip dhcp snooping trust
Set rate limit for DHCP packets (optional, prevents flooding):
Switch(config-if)# ip dhcp snooping limit rate 10
🔍 Verification Commands
Switch# show ip dhcp snooping
Switch# show ip dhcp snooping binding
These show the feature status and the binding table.
🧱 Summary
| Concept | Description |
|---|---|
| Purpose | Protect from rogue DHCP servers |
| Trusted Port | Connected to DHCP server |
| Untrusted Port | Connected to clients |
| Key Feature | Builds DHCP Snooping Binding Table |
🔸 2. Dynamic ARP Inspection (DAI)
💡 What it is:
Dynamic ARP Inspection (DAI) prevents ARP spoofing/poisoning attacks by validating ARP packets.
🧩 Why it’s needed:
ARP maps IP addresses to MAC addresses.
Attackers can send fake ARP messages pretending to be another device (like the default gateway), tricking clients into sending data to them.
DAI ensures that only valid ARP messages (based on the DHCP Snooping Binding Table) are allowed.
⚙️ How it works:
- DAI checks each ARP packet on untrusted ports.
- It compares the information in the ARP packet (IP–MAC binding) with the DHCP Snooping Binding Table.
- If the information doesn’t match → the ARP packet is dropped.
🔐 Trusted vs. Untrusted Ports
- Trusted ports:
Typically uplinks or trunk ports (towards other switches or routers). ARP packets are trusted. - Untrusted ports:
Connected to end devices. ARP packets are inspected.
⚙️ Key Commands
Enable DAI on VLANs:
Switch(config)# ip arp inspection vlan 10
Mark an interface as trusted:
Switch(config-if)# ip arp inspection trust
Rate limit (optional):
Switch(config-if)# ip arp inspection limit rate 15
🔍 Verification Commands
Switch# show ip arp inspection
Switch# show ip arp inspection vlan 10
🧱 Summary
| Concept | Description |
|---|---|
| Purpose | Prevent ARP spoofing |
| Uses | DHCP Snooping Binding Table |
| Trusted Port | Bypasses ARP checking |
| Untrusted Port | ARP packets are inspected |
🔸 3. Port Security
💡 What it is:
Port Security controls which devices can connect to a switch port by restricting MAC addresses.
It prevents unauthorized devices from connecting to the network.
🧩 Why it’s needed:
Without port security, any device can plug into a switch port and gain network access — which is risky in offices or public areas.
Port Security limits:
- How many devices (MAC addresses) can connect.
- Which specific MAC addresses are allowed.
⚙️ How it works:
You can configure:
- Maximum MAC addresses allowed on a port.
- Static MAC addresses (manually set).
- Dynamic MAC addresses (learned automatically).
- Sticky MAC addresses (learned dynamically and saved in the configuration).
If a violation occurs (too many MACs or an unauthorized MAC):
- The switch takes an action.
🚨 Violation Modes
| Mode | Description |
|---|---|
| Protect | Drops unauthorized frames silently. |
| Restrict | Drops frames and logs violation (sends SNMP trap, increments counter). |
| Shutdown | Disables the port (default mode). The port goes into err-disabled state. |
⚙️ Key Commands
Enable port security on an interface:
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Set maximum number of MAC addresses:
Switch(config-if)# switchport port-security maximum 2
Enable sticky MAC:
Switch(config-if)# switchport port-security mac-address sticky
Set violation mode:
Switch(config-if)# switchport port-security violation restrict
🔍 Verification Commands
Switch# show port-security interface fa0/1
Switch# show port-security address
🧱 Summary
| Concept | Description |
|---|---|
| Purpose | Control which devices can connect |
| Key Feature | Limits and learns MAC addresses |
| Violation Actions | Protect, Restrict, Shutdown |
| Default Violation Mode | Shutdown |
🔹 How They Work Together
| Feature | Protects Against | Depends On | Works On |
|---|---|---|---|
| DHCP Snooping | Rogue DHCP servers | — | DHCP messages |
| Dynamic ARP Inspection | ARP spoofing | DHCP Snooping binding table | ARP packets |
| Port Security | Unauthorized device access | — | MAC addresses on ports |
Together, they form a Layer 2 defense mechanism that protects a LAN from internal attacks and unauthorized access.
✅ Key Takeaways for CCNA Exam
- Know what each feature does and what type of attack it prevents.
- Remember trusted vs. untrusted ports.
- Memorize key configuration and verification commands.
- Understand how DHCP Snooping supports DAI.
- Be aware of violation modes in Port Security.
