DHCP Snooping & Dynamic ARP Inspection

Table of Contents
1. DHCP Snooping & Dynamic ARP Inspection
2. Understanding the Security Problem
3. DHCP Snooping
4. Dynamic ARP Inspection
5. Attack Scenarios and How DHCP Snooping and DAI Prevent Them
6. Deployment Considerations and Best Practices
7. Limitations and Considerations
8. Advanced Topics
9. Troubleshooting DHCP Snooping and DAI
10. Real-World Implementation Example
11. Review Questions
12. Glossary
View more

DHCP Snooping & Dynamic ARP Inspection

In modern computer networks, security is not just about protecting the perimeter with firewalls and antivirus software. Some of the most dangerous attacks happen from within the network itself, where malicious users or compromised devices exploit fundamental network protocols to intercept, redirect, or disrupt traffic. Two powerful security features-DHCP Snooping and Dynamic ARP Inspection (DAI)-work together to protect networks from a variety of these internal threats. This document will guide you through understanding what these technologies are, how they work, why they matter, and how to configure and troubleshoot them in real-world network environments.

Understanding the Security Problem

Before we dive into the solutions, we need to understand the problems that DHCP Snooping and Dynamic ARP Inspection solve. These security features address vulnerabilities in two fundamental network protocols: DHCP (Dynamic Host Configuration Protocol) and ARP (Address Resolution Protocol).

What is DHCP and Why is it Vulnerable?

DHCP is a network protocol that automatically assigns IP addresses and network configuration information to devices when they connect to a network. Instead of manually configuring every computer, phone, or printer with an IP address, subnet mask, default gateway, and DNS servers, DHCP does this automatically.

Think of DHCP like an automated check-in desk at a hotel. When you arrive (connect to the network), the desk clerk (DHCP server) assigns you a room number (IP address) and gives you information about the hotel facilities (network configuration). You don't choose your own room-the system assigns one to you.

The basic DHCP process works like this:

1. A device connects to the network and broadcasts a DHCP Discover message saying "I need an IP address!"
2. A DHCP server receives this request and responds with a DHCP Offer message saying "Here's an IP address you can use."
3. The device sends a DHCP Request message accepting the offer.
4. The server confirms with a DHCP Acknowledgment message, and the device can now use that IP address.

The vulnerability is that DHCP was designed with trust, not security, in mind. Any device can pretend to be a DHCP server and respond to these discovery messages. This creates several dangerous attack possibilities:

• Rogue DHCP Server Attack: An attacker sets up an unauthorized DHCP server on the network that hands out malicious network configurations.
• DHCP Starvation Attack: An attacker floods the legitimate DHCP server with thousands of fake requests, exhausting all available IP addresses so legitimate devices cannot connect.
• Man-in-the-Middle Attack: A rogue DHCP server gives clients the attacker's IP address as the default gateway, routing all traffic through the attacker's machine.

What is ARP and Why is it Vulnerable?

ARP (Address Resolution Protocol) is the mechanism networks use to map IP addresses (which humans and applications use) to MAC addresses (which network hardware uses). Every network device has a unique MAC address burned into its network interface card.

Imagine you're sending a letter to someone in a large apartment building. You know the person's name (IP address), but the postal worker needs to know the specific apartment number (MAC address) to deliver the letter. ARP is like asking around the building, "Who lives in apartment matching this name?" and someone responds with the apartment number.

The ARP process works like this:

1. Device A wants to communicate with IP address 192.168.1.100 but doesn't know the MAC address.
2. Device A broadcasts an ARP Request to everyone on the network asking "Who has IP 192.168.1.100?"
3. The device with that IP address responds with an ARP Reply saying "That's me, and my MAC address is AA:BB:CC:DD:EE:FF."
4. Device A stores this information in its ARP cache (a temporary memory table) for future use.

The critical vulnerability is that ARP has no authentication mechanism. Any device can send an ARP reply, even if it wasn't asked, and other devices will typically trust and accept it. This enables several attacks:

• ARP Spoofing/Poisoning: An attacker sends fake ARP replies claiming to own someone else's IP address, redirecting traffic intended for that IP to the attacker's machine.
• Man-in-the-Middle Attack: By spoofing the gateway's IP address, an attacker can intercept all traffic leaving the local network.
• Denial of Service: Sending false ARP information can break communication between legitimate devices.

Important: Both DHCP and ARP were designed in the early days of networking when networks were small, trusted environments. As networks grew and became more security-conscious, protective mechanisms like DHCP Snooping and Dynamic ARP Inspection were developed to address these fundamental vulnerabilities.

DHCP Snooping

DHCP Snooping is a security feature implemented on network switches that acts as a firewall between untrusted devices and DHCP servers. It monitors DHCP messages flowing through the switch, validates them, and builds a database of legitimate IP-to-MAC address bindings. This prevents rogue DHCP servers and DHCP-based attacks from succeeding.

How DHCP Snooping Works

DHCP Snooping divides switch ports into two categories:

• Trusted Ports: Ports where legitimate DHCP servers are connected, or ports connecting to other network infrastructure (other switches, routers). DHCP server messages are allowed on these ports.
• Untrusted Ports: Ports where end-user devices connect (computers, phones, printers). DHCP server messages are blocked on these ports, preventing rogue DHCP servers.

Think of DHCP Snooping like a security checkpoint at an airport. Passengers (client devices) can only enter through certain gates (untrusted ports), while airline staff (DHCP servers) have special access through different, authorized entrances (trusted ports). If a passenger tries to enter through a staff-only entrance, they're blocked.

When DHCP Snooping is enabled, the switch performs these actions:

1. Monitors DHCP Messages: The switch inspects all DHCP packets flowing through it.
2. Validates Source: DHCP server messages (Offer, Acknowledgment) are only allowed from trusted ports. If they arrive on untrusted ports, they're dropped.
3. Builds Binding Database: When a legitimate DHCP transaction completes, the switch records the client's MAC address, IP address, lease time, VLAN, and port number in the DHCP Snooping Binding Database.
4. Rate Limiting: Optionally limits the number of DHCP requests per second on untrusted ports to prevent DHCP starvation attacks.
5. Validates Client Messages: Ensures that DHCP Release and Decline messages come from devices with legitimate bindings.

The DHCP Snooping Binding Database

The DHCP Snooping Binding Database (also called the DHCP Snooping Binding Table) is a critical component. This database contains entries with the following information:

This database becomes the foundation for other security features, most notably Dynamic ARP Inspection, which we'll discuss later.

Note: The DHCP Snooping Binding Database is stored in RAM by default and is lost when the switch reboots. Many switches allow you to save this database to flash memory or a remote server to preserve it across reboots.

DHCP Snooping Protection Mechanisms

DHCP Snooping provides protection against several specific attacks:

Protection Against Rogue DHCP Servers

By blocking DHCP server messages on untrusted ports, DHCP Snooping ensures that only authorized DHCP servers (connected to trusted ports) can respond to client requests. If an attacker connects a rogue DHCP server to an untrusted port and tries to send DHCP Offer or Acknowledgment messages, the switch drops those packets before they reach any clients.

Protection Against DHCP Starvation

DHCP Snooping can implement rate limiting on untrusted ports, restricting how many DHCP messages can be sent per second. This prevents an attacker from flooding the network with thousands of fake DHCP Discover messages to exhaust the legitimate server's IP address pool.

Validation of DHCP Release and Decline

DHCP Snooping verifies that DHCP Release and Decline messages come from devices with existing entries in the binding database, preventing attackers from releasing other users' IP addresses.

Configuring DHCP Snooping

While specific commands vary by switch manufacturer and model, the general configuration process follows these steps:

1. Enable DHCP Snooping globally on the switch
2. Enable DHCP Snooping for specific VLANs
3. Configure trusted ports (all other ports are untrusted by default)
4. Optional: Configure rate limiting on untrusted ports
5. Optional: Enable persistent storage of the binding database

Example configuration on a Cisco switch:

In this example:

• DHCP Snooping is enabled globally
• It's activated for VLANs 10, 20, and 30
• Port GigabitEthernet0/1 is configured as trusted (where the DHCP server connects)
• Ports 2-24 have rate limiting set to 10 DHCP packets per second
• The binding database is saved to flash memory

Warning: When deploying DHCP Snooping in a production network, carefully plan which ports should be trusted. Trusted ports should only be those connecting to legitimate DHCP servers or to other network infrastructure. Making too many ports trusted defeats the security purpose.

Verifying DHCP Snooping

After configuring DHCP Snooping, you should verify it's working correctly. Common verification commands include:

• View the DHCP Snooping configuration and status
• Display the DHCP Snooping Binding Database
• Check DHCP Snooping statistics (packets dropped, forwarded, etc.)

Example verification command on Cisco switches:

Dynamic ARP Inspection

Dynamic ARP Inspection (DAI) is a security feature that prevents ARP spoofing and ARP poisoning attacks by validating ARP packets against a trusted database of IP-to-MAC address bindings. DAI works hand-in-hand with DHCP Snooping, using the binding database created by DHCP Snooping to determine which ARP packets are legitimate.

How Dynamic ARP Inspection Works

Like DHCP Snooping, DAI classifies switch ports as either trusted or untrusted:

• Trusted Ports: ARP packets are forwarded without inspection. These are typically ports connected to other switches, routers, or devices with static IP addresses that won't appear in the DHCP Snooping database.
• Untrusted Ports: All ARP packets are intercepted and validated against the DHCP Snooping Binding Database before being forwarded.

When an ARP packet arrives on an untrusted port, DAI performs the following validation:

1. Intercept the ARP Packet: The switch captures the ARP packet before forwarding it.
2. Extract Information: DAI extracts the sender's IP address, MAC address, and other relevant information from the ARP packet.
3. Check the Binding Database: DAI looks up the sender's IP address in the DHCP Snooping Binding Database.
4. Validate the Binding: DAI compares the MAC address in the ARP packet against the MAC address in the database entry.
5. Decision:
   • If the MAC address matches and the port matches: the ARP packet is forwarded
   • If there's a mismatch or no database entry: the ARP packet is dropped and logged

Imagine DAI as a bouncer at an exclusive club checking IDs against a guest list. The guest list (DHCP Snooping database) shows who should be there and what they look like. When someone tries to enter (send an ARP packet), the bouncer checks if their appearance (MAC address) matches what's on the list for that name (IP address). If it doesn't match or they're not on the list at all, they're not allowed in.

DAI Validation Checks

Beyond the basic IP-to-MAC binding check, DAI can perform additional validation:

These additional checks catch attempts to craft malformed ARP packets that might bypass basic validation.

The Relationship Between DHCP Snooping and DAI

DAI fundamentally depends on having a reliable database of legitimate IP-to-MAC bindings. In most networks, this database comes from DHCP Snooping. Here's why this relationship is critical:

• DHCP Snooping builds the database: As devices receive IP addresses via DHCP, the bindings are recorded.
• DAI uses the database: When devices communicate using ARP, DAI validates their claims against these recorded bindings.
• Together they prevent attacks: DHCP Snooping ensures only legitimate DHCP servers assign addresses, and DAI ensures devices only claim IP addresses legitimately assigned to them.

Important: DHCP Snooping should be enabled and functioning properly before enabling DAI. If DAI is enabled without DHCP Snooping, the binding database will be empty, and all ARP packets from untrusted ports will be dropped, breaking network connectivity.

Handling Devices with Static IP Addresses

In real networks, not all devices use DHCP. Servers, printers, network devices, and other infrastructure often use static IP addresses (manually configured addresses that don't change). These devices won't appear in the DHCP Snooping Binding Database, so DAI needs an alternative way to validate their ARP packets.

There are two solutions:

Option 1: Configure Ports as Trusted

The simplest approach is to configure the ports connecting to static IP devices as trusted. ARP packets from trusted ports bypass DAI validation entirely.

Option 2: Use ARP Access Control Lists (ACLs)

For more granular control, you can create ARP ACLs that explicitly permit specific IP-to-MAC bindings. DAI checks ARP ACLs first, then the DHCP Snooping database. This allows you to keep ports untrusted while still permitting legitimate static IP devices.

Example ARP ACL configuration on Cisco switches:

This configuration explicitly permits two static IP devices (192.168.1.10 and 192.168.1.20) with their corresponding MAC addresses in VLAN 10.

Configuring Dynamic ARP Inspection

The general configuration steps for DAI are:

1. Ensure DHCP Snooping is enabled and functioning
2. Enable DAI for specific VLANs
3. Configure trusted ports (ports connecting to other infrastructure or devices with static IPs)
4. Optional: Create ARP ACLs for static IP devices
5. Optional: Enable additional validation checks
6. Optional: Configure rate limiting to prevent ARP packet floods

Example DAI configuration on Cisco switches:

In this configuration:

• DAI is enabled for VLANs 10, 20, and 30
• Port GigabitEthernet0/1 is trusted (possibly connecting to a router or another switch)
• Additional validation checks are enabled for source MAC, destination MAC, and IP addresses
• Untrusted ports are limited to 15 ARP packets per second

DAI Rate Limiting

DAI includes rate limiting to protect the switch's CPU from being overwhelmed by excessive ARP traffic, whether from an attack or a misconfiguration. By default, untrusted ports typically have a rate limit (often 15 ARP packets per second on Cisco switches).

If a port exceeds its rate limit, the switch places it in an error-disabled state, effectively shutting down the port until an administrator manually re-enables it or an automatic recovery mechanism activates.

Note: Be cautious when setting rate limits. In some network scenarios (virtualization hosts, wireless access points), a single physical port might carry ARP traffic for many devices. Setting the limit too low could cause legitimate ports to be error-disabled.

Verifying Dynamic ARP Inspection

To verify DAI is working correctly, use commands like:

These commands display:

• Which VLANs have DAI enabled
• Which ports are trusted or untrusted
• Rate limiting settings
• Statistics on packets forwarded, dropped, and validated
• Information about error-disabled ports

Attack Scenarios and How DHCP Snooping and DAI Prevent Them

Let's examine specific attack scenarios and see how these security features protect against them.

Scenario 1: Rogue DHCP Server Attack

The Attack: An attacker brings a laptop with DHCP server software and connects it to the network. When legitimate users' devices request IP addresses, the rogue server responds faster than the legitimate server (or the legitimate server is offline). The rogue server assigns IP addresses with the attacker's machine as the default gateway, routing all Internet traffic through the attacker's computer for inspection or modification.

How DHCP Snooping Prevents It: The switch port where the attacker's laptop connects is untrusted. When the rogue DHCP server sends DHCP Offer messages, the switch recognizes these as server messages coming from an untrusted port and drops them. Client devices only receive offers from the legitimate DHCP server connected to a trusted port.

Scenario 2: ARP Spoofing Man-in-the-Middle Attack

The Attack: An attacker wants to intercept communication between a victim device (192.168.1.50) and the network gateway (192.168.1.1). The attacker sends fake ARP replies claiming "I am 192.168.1.1, my MAC address is [attacker's MAC]." The victim's computer updates its ARP cache and starts sending all Internet-bound traffic to the attacker instead of the real gateway.

How DAI Prevents It: When the attacker sends the fake ARP reply, it arrives at the switch on an untrusted port. DAI intercepts it and checks the DHCP Snooping database. The database shows that IP 192.168.1.1 is associated with a different MAC address (the real gateway's MAC) and a different port. Since the information doesn't match, DAI drops the fake ARP packet, and the victim never receives the poisoned information.

Scenario 3: DHCP Starvation Attack

The Attack: An attacker uses automated tools to send thousands of DHCP Discover messages with different fake MAC addresses. The DHCP server responds to each one, assigning IP addresses until the entire address pool is exhausted. Legitimate users trying to connect cannot obtain IP addresses, creating a denial of service.

How DHCP Snooping Prevents It: Rate limiting on untrusted ports restricts how many DHCP messages can be sent per second. When the attacker's port exceeds this limit (say, 10 packets per second), the switch either drops the excess packets or places the port in error-disabled state, stopping the attack.

Scenario 4: IP Address Theft

The Attack: An attacker observes that a particular device (like a network printer with elevated privileges) has IP address 192.168.1.100. The attacker manually configures their laptop with the same IP address and MAC address, attempting to impersonate the printer and access resources.

How DAI Prevents It: When the attacker's laptop sends ARP announcements claiming to be 192.168.1.100, DAI checks the DHCP Snooping database. The database shows that 192.168.1.100 is bound to a different MAC address and port. The switch drops the attacker's ARP packets, preventing the impersonation. Additionally, the legitimate printer's port is either trusted or has an ARP ACL entry, so its ARP packets are properly forwarded.

Deployment Considerations and Best Practices

Implementing DHCP Snooping and DAI in production networks requires careful planning. Here are important considerations and best practices:

Planning the Deployment

• Start with DHCP Snooping: Always enable and verify DHCP Snooping before enabling DAI.
• Document trusted ports: Create a clear list of which ports should be trusted and why (DHCP servers, gateways, other switches, etc.).
• Identify static IP devices: Make a comprehensive list of devices with static IP addresses and plan how to handle them (trusted ports or ARP ACLs).
• Test in a lab first: If possible, test the configuration in a non-production environment before deploying to production.
• Plan for phased rollout: Consider enabling these features one VLAN at a time rather than all at once.

Trust Configuration Best Practices

• Minimize trusted ports: Only configure ports as trusted when absolutely necessary. Every trusted port is a potential security gap.
• Trust infrastructure uplinks: Ports connecting to other switches, routers, and core network devices should typically be trusted.
• Don't trust end-user ports: Ports connecting to user computers, phones, printers, and similar devices should remain untrusted.
• Use ARP ACLs for static devices when possible: This provides more security than making entire ports trusted.

Database Persistence

• Enable database storage: Configure the DHCP Snooping database to be saved to flash memory or a remote location.
• Regular backups: If the database is large or critical, ensure it's backed up regularly.
• Consider database aging: Configure appropriate lease times and aging mechanisms to remove outdated entries.

Rate Limiting Guidelines

• Set appropriate limits: The default rate limit (often 15 packets/second) works for most normal end-user ports.
• Higher limits for special ports: Virtualization hosts, wireless access points, and other aggregation points may need higher limits.
• Monitor error-disabled ports: Frequent error-disabled states might indicate either an attack or that limits are too restrictive.
• Configure automatic recovery: Many switches allow error-disabled ports to automatically recover after a timeout period.

Monitoring and Maintenance

• Regular log review: Check switch logs for dropped packets, which might indicate attacks or misconfigurations.
• Statistics monitoring: Periodically review DHCP Snooping and DAI statistics to understand traffic patterns.
• Database verification: Occasionally verify that the binding database contains expected entries.
• Update static device lists: When devices with static IPs are added, removed, or changed, update ARP ACLs accordingly.

Common Pitfalls to Avoid

• Enabling DAI without DHCP Snooping: This will break network connectivity for DHCP clients.
• Forgetting to configure trusted ports: Failing to trust uplink ports can block legitimate DHCP server responses.
• Not accounting for static IP devices: Servers and infrastructure devices with static IPs need special configuration.
• Setting rate limits too low: This can cause legitimate high-density ports to be error-disabled.
• Not saving the binding database: Switch reboots will clear the database, potentially breaking DAI validation until devices renew their DHCP leases.

Limitations and Considerations

While DHCP Snooping and DAI are powerful security tools, they have limitations and aren't complete security solutions by themselves.

What These Features Don't Protect Against

• Layer 3 attacks: These features operate at Layer 2 (data link layer). They don't protect against IP-level attacks like IP spoofing in routed traffic.
• Encrypted traffic manipulation: If an attacker successfully executes a man-in-the-middle attack using other methods, these features won't detect manipulation of encrypted traffic content.
• Physical security breaches: An attacker with physical access might connect directly to trusted ports or access switch management interfaces.
• Attacks from trusted devices: If a trusted device is compromised, its malicious activity will bypass these protections.
• IPv6 attacks: Standard DHCP Snooping and DAI protect IPv4. IPv6 requires separate features (DHCPv6 Guard, IPv6 ND Inspection).

Performance Considerations

• CPU impact: Validating every ARP packet and DHCP message requires CPU processing. On high-traffic networks with older switches, this could impact performance.
• Modern switches handle it well: Most modern switches have dedicated hardware (ASICs) that perform these validations at wire speed without CPU impact.
• Database size limits: Very large networks might exceed the maximum size of the binding database on some switch models.

Compatibility Considerations

• Switch capabilities: Not all switches support DHCP Snooping and DAI. These are typically found on managed enterprise-grade switches.
• Wireless networks: Special consideration is needed for wireless controllers and access points, as they may aggregate traffic from many devices.
• Virtual environments: Virtualization hosts running many virtual machines may generate high ARP/DHCP traffic volumes.

Advanced Topics

DHCP Option 82

DHCP Option 82, also called the Relay Agent Information Option, allows switches to insert additional information into DHCP requests before forwarding them to the DHCP server. This information can include the port number, VLAN, switch MAC address, and other identifying details.

When DHCP Snooping is enabled, switches can automatically insert Option 82 information. This provides several benefits:

• Enhanced troubleshooting: The DHCP server logs show exactly which switch port requested each IP address.
• Policy enforcement: DHCP servers can assign different IP addresses or options based on which switch or port the request came from.
• Security tracking: Network administrators can correlate IP addresses to specific physical locations.

However, Option 82 can cause issues if not configured properly:

Warning: By default, when a switch receives a DHCP packet that already contains Option 82 information (possibly from another switch), it may drop the packet. This is a security feature to prevent Option 82 spoofing, but it can break DHCP in networks with multiple switches. Proper configuration is needed to handle Option 82 in multi-switch environments.

Integration with Other Security Features

DHCP Snooping and DAI work alongside other network security features:

IP Source Guard

IP Source Guard is another feature that uses the DHCP Snooping binding database. It prevents IP spoofing by creating dynamic port access control lists (ACLs) that permit only traffic with source IP addresses matching the binding database. This adds another layer of protection beyond DAI.

Port Security

Port Security limits which MAC addresses can send traffic on a port and how many MAC addresses are allowed. When combined with DHCP Snooping and DAI, it creates comprehensive protection:

• Port Security controls which MAC addresses can connect
• DHCP Snooping controls which IP addresses they can obtain
• DAI ensures they use only those IP addresses in ARP communications
• IP Source Guard ensures they use only those IP addresses in actual traffic

DHCP Snooping in Complex Topologies

In networks with multiple switches, special considerations apply:

Hierarchical Switch Networks

In a typical enterprise network with access switches, distribution switches, and core switches:

• Access switches: Enable DHCP Snooping and DAI, with most ports untrusted (connecting to end devices).
• Distribution/core switches: Typically enable DHCP Snooping to maintain the binding database, but ports connecting to access switches must be trusted.
• DHCP server location: The switch port(s) connecting to DHCP servers must be trusted on the switches directly connected to those servers.

DHCP Relay Scenarios

When DHCP servers are on different VLANs or subnets from clients, routers or Layer 3 switches act as DHCP relay agents (also called IP helpers). In these scenarios:

• The ports connecting to the relay agents should be trusted on the access switches
• The relay agent devices themselves should have appropriate DHCP Snooping configuration
• Option 82 handling needs careful configuration to avoid dropped packets

Troubleshooting DHCP Snooping and DAI

When connectivity issues arise after implementing these features, systematic troubleshooting is essential.

Common Problem: Devices Can't Obtain IP Addresses

Symptoms: Client devices fail to get IP addresses via DHCP, timing out during the process.

Possible Causes and Solutions:

• DHCP server port not trusted: Verify the port connecting to the DHCP server (or to the router relaying DHCP) is configured as trusted.
• DHCP Snooping not enabled on all necessary VLANs: Ensure DHCP Snooping is enabled for the correct VLANs.
• Rate limiting too aggressive: Check if ports are being error-disabled due to rate limit violations.
• Option 82 issues: If using multiple switches, Option 82 might be causing drops. Verify Option 82 configuration.

Verification steps:

Common Problem: ARP Communication Failures

Symptoms: Devices have IP addresses but can't communicate with other devices on the same subnet, or communication is intermittent.

Possible Causes and Solutions:

• DAI enabled without DHCP Snooping: Ensure DHCP Snooping is enabled and the binding database is populated.
• Static IP devices not properly configured: Verify that static IP devices either connect to trusted ports or have ARP ACL entries.
• MAC address mismatches: Check that the DHCP Snooping database has correct MAC addresses for devices.
• ARP rate limiting: Verify that legitimate devices aren't exceeding ARP rate limits.

Verification steps:

Common Problem: Intermittent Connectivity After Switch Reboot

Symptoms: After a switch restart, devices can't communicate properly until they renew their DHCP leases.

Cause: The DHCP Snooping binding database was not saved to persistent storage and was lost during the reboot.

Solution: Configure the binding database to be saved to flash memory or a remote location:

Using Debug and Logging

When troubleshooting complex issues, enable logging and debugging (use caution in production environments, as debugging can impact performance):

These commands will show detailed information about which packets are being processed, validated, or dropped.

Real-World Implementation Example

Let's walk through a complete implementation scenario to tie everything together.

Network Scenario

A small company has the following network setup:

• One access switch (24 ports) serving user workstations
• VLAN 10 for regular users (ports 1-20)
• VLAN 20 for servers (ports 21-22)
• DHCP server at 192.168.10.5 connected to port 23
• Router/gateway connected to port 24
• Two file servers with static IPs (192.168.20.10 and 192.168.20.11) on ports 21-22

Security Goals

• Prevent rogue DHCP servers on user ports
• Prevent ARP spoofing attacks
• Allow legitimate static IP servers to function
• Protect against DHCP starvation

Step-by-Step Configuration

Step 1: Enable DHCP Snooping globally and for VLANs

Step 2: Configure trusted ports (DHCP server and router)

Step 3: Configure rate limiting on untrusted ports

Step 4: Configure database persistence

Step 5: Enable Dynamic ARP Inspection

Step 6: Configure trusted ports for DAI (same as DHCP Snooping)

Step 7: Create ARP ACL for static IP servers

Step 8: Enable additional DAI validation

Step 9: Configure ARP rate limiting

Step 10: Verify the configuration

Testing the Implementation

After configuration, perform these tests:

1. DHCP functionality: Connect a laptop to a user port and verify it receives an IP address.
2. Binding database: Check that the laptop appears in the DHCP Snooping binding database.
3. Rogue DHCP prevention: Try running a DHCP server on a user port and verify clients don't receive addresses from it.
4. ARP validation: Verify normal communication works and check DAI statistics show packets being validated.
5. Static IP servers: Confirm the servers can communicate properly.
6. Rate limiting: Optionally test that excessive DHCP or ARP traffic triggers rate limiting.

Review Questions

1. What is the primary purpose of DHCP Snooping, and what types of attacks does it prevent?
2. Explain the difference between trusted and untrusted ports in the context of DHCP Snooping. Give examples of devices that should connect to each type.
3. What information is stored in the DHCP Snooping Binding Database, and why is this database important for network security?
4. Describe how a rogue DHCP server attack works and explain step-by-step how DHCP Snooping prevents it.
5. What is ARP spoofing (ARP poisoning), and why is ARP inherently vulnerable to this type of attack?
6. Explain how Dynamic ARP Inspection validates ARP packets. What happens when an ARP packet fails validation?
7. Why must DHCP Snooping be enabled and functioning before implementing Dynamic ARP Inspection? What would happen if DAI were enabled without DHCP Snooping?
8. How should devices with static IP addresses be handled when DAI is enabled? Describe two different approaches.
9. What is the purpose of rate limiting in DHCP Snooping and DAI, and what happens when a port exceeds its configured rate limit?
10. Explain what DHCP Option 82 is and what benefits it provides when used with DHCP Snooping.
11. If a switch loses power and reboots, what happens to the DHCP Snooping Binding Database? How can this problem be prevented?
12. Describe a complete man-in-the-middle attack scenario using ARP spoofing, then explain how implementing both DHCP Snooping and DAI would prevent it.
13. What additional validation checks can DAI perform beyond the basic IP-to-MAC binding validation, and what types of malicious packets do these catch?
14. In a network with multiple switches in a hierarchical topology, which switches should have DHCP Snooping and DAI enabled, and how should trust relationships be configured?
15. What are the limitations of DHCP Snooping and DAI? Name three types of attacks or security issues they do not protect against.

Glossary