← back to labs
COMPLETE

DHCP Snooping & DAI

Layer 2 security lab covering DHCP snooping, dynamic ARP inspection, and IP source guard to harden the access layer against common L2 attacks.

DHCP Snooping DAI IP Source Guard ARP ACL L2 Security Trusted ports Binding table
DHCP Snooping & DAI topology
COVERAGE
DHCP Snooping
  • Trusted uplink ports
  • Untrusted access ports
  • DHCP snooping binding table
  • Rate limiting on untrusted ports
  • Option 82 handling
Dynamic ARP Inspection
  • DAI enabled per VLAN
  • ARP ACL for static hosts
  • Trusted ports bypass DAI
  • DAI logging and rate limiting
  • Validate src-mac, dst-mac, IP
IP Source Guard
  • Filter by IP and MAC
  • Uses DHCP snooping binding table
  • Static IP source binding for servers
  • Prevents IP spoofing on access ports
Attack Scenarios
  • Rogue DHCP server simulation
  • ARP spoofing/poisoning attempt
  • IP spoofing from untrusted port
  • Verify drops with show counters
NOTES
This lab was built to reproduce and troubleshoot a production issue involving DHCP snooping and Option 82. When snooping is enabled, some switches insert Option 82 into DHCP requests by default - if the DHCP server or upstream switch is not configured to handle it, requests get dropped silently. The lab covers trust port configuration, Option 82 handling, DAI across VLANs, and IP source guard on the static client port (PC5).