All topic guides
Layer 2 SwitchingAmalgamated guide

Switch Security

Port security, DHCP snooping, DAI, and BPDU Guard.

How the sources were combined

Panagiss Switch Security covers port security visually. jdepew88 ARP Inspection and DHCP Snooping adds mitigation workflows — merged into a single L2 defense guide.

Overview

Access-layer switches are the first line of defense against rogue DHCP, ARP spoofing, unauthorized MACs, and STP manipulation. CCNA covers port security, DHCP snooping, DAI, and BPDU Guard.

Port security — limit MAC addresses on access ports.

Port security — limit MAC addresses on access ports.

Supplementary figure from Panagiss CCNAmd

Layer 2 threat model

  1. Port security — limit MAC addresses per access port
  2. DHCP snooping — block rogue DHCP servers
  3. Dynamic ARP Inspection (DAI) — validate ARP against DHCP bindings
  4. BPDU Guard — shut access ports that receive spanning-tree BPDUs
Info

802.1X is also an access-layer control (authenticate before normal VLAN access). CCNA may reference it conceptually; port security + DHCP snooping + DAI are the deeper configuration topics.

Port security

Port security restricts which source MAC addresses may send traffic into an access port. Two common production goals:

  • Limit MAC count — stop users from connecting hubs, rogue APs, or small switches behind their desk
  • Sticky learning — dynamically learn authorized MACs and persist them to config
Port security limits how many MAC addresses may transmit on an access port.

Port security limits how many MAC addresses may transmit on an access port.

Supplementary figure from Panagiss CCNAmd

Warning

Locking a port to a single static MAC is easy to spoof at Layer 2. Port security's main value is controlling how many devices attach — not perfect identity proof.

Violation modes

ModeBehavior
shutdown (default)Err-disable the port — all traffic blocked until recovery
protectDrop violating frames silently
restrictDrop + log + increment violation counter
Port security with sticky MACs

interface GigabitEthernet0/5 switchport mode access switchport access vlan 20 switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security violation shutdown

Maximum MAC addresses: Default is 1. IP phone + PC behind the phone typically needs maximum 2 (phone MAC + PC MAC on the same access port).

Recovery from err-disable

  1. Remove the offending device
  2. shutdown then no shutdown the interface

Or enable auto-recovery:

Err-disable auto-recovery

errdisable recovery cause psecure-violation errdisable recovery interval 600

Verify port security

show port-security show port-security interface GigabitEthernet0/5 show port-security address show errdisable recovery

DHCP snooping

A rogue DHCP server on an access VLAN can hand out attacker-controlled gateways and DNS — classic man-in-the-middle. DHCP snooping builds a binding table (MAC ↔ IP ↔ VLAN) by inspecting DHCP messages and drops server responses that arrive on untrusted ports.

Trusted vs untrusted

  • Trusted ports: Uplinks to legitimate DHCP servers or other switches (where valid server replies enter)
  • Untrusted ports: End-user access ports — DHCP server messages are dropped
DHCP snooping

ip dhcp snooping ip dhcp snooping vlan 10,20 ! interface GigabitEthernet0/1 description Uplink to core / DHCP server path ip dhcp snooping trust

Tip

Enable DHCP snooping per VLAN — not globally enough by itself. Every switch in the VLAN path needs consistent trusted/untrusted marking on uplinks vs access ports.

Exam scenario

PC receives IP 10.10.10.50 from rogue server with gateway 10.10.10.99 (attacker). With snooping enabled, the rogue DHCPOFFER/ACK on an untrusted access port is dropped. Only the trusted server path succeeds.

Verify DHCP snooping

show ip dhcp snooping show ip dhcp snooping binding

Dynamic ARP Inspection (DAI)

ARP poisoning maps a victim's IP to the attacker's MAC — intercepting traffic at Layer 2. DAI compares ARP packets against the DHCP snooping binding table. If sender IP/MAC/VLAN don't match a valid binding, the ARP packet is dropped.

Warning

DAI requires DHCP snooping on the same VLANs. Without the binding table, DAI has nothing to validate against.

DAI is not performed on trusted ports — configure trust on uplinks where ARP from legitimate routers is expected.

Dynamic ARP Inspection

ip arp inspection vlan 10,20 ! interface GigabitEthernet0/1 ip arp inspection trust ip dhcp snooping trust

Non-DHCP clients

Hosts with static IP need manual ARP ACLs or static DHCP snooping bindings — otherwise DAI drops their ARP. CCNA labs usually assume DHCP clients.

Verify DAI

show ip arp inspection show ip arp inspection statistics show ip dhcp snooping binding

BPDU Guard

BPDU Guard protects access ports configured with Portfast. If a user connects an unmanaged switch (or attacker) that sends BPDUs, the port err-disables instead of participating in STP and potentially becoming a loop entry point.

BPDU Guard on access ports

interface GigabitEthernet0/10 spanning-tree portfast spanning-tree bpduguard enable ! spanning-tree portfast bpduguard default

FeatureProtects againstWhere to apply
BPDU GuardRogue switch on access portAccess ports with Portfast
Root GuardUnexpected root bridgeDistribution/core facing access
Port securityMAC flooding / extra devicesUser access ports
DHCP snoopingRogue DHCPAll access VLANs
DAIARP spoofing/poisoningVLANs with DHCP snooping

Defense-in-depth workflow

Deploy controls in this order on a typical access switch:

  1. Port security on all user access ports (maximum 1 or 2 for phone+PC)
  2. Portfast + BPDU Guard on those same access ports
  3. DHCP snooping for user VLANs — trust only uplinks
  4. DAI on the same VLANs — trust uplinks toward routers
  5. Verify bindings before enabling DAI in production

Traffic flow on an untrusted access port: frames hit port security first (MAC limit), DHCP server replies are filtered by snooping, then ARP is validated by DAI against the binding table. A BPDU on a Portfast port triggers BPDU Guard err-disable.

Exam checklist

TrapDetail
DAI without DHCP snoopingDAI won't work — binding table missing
Forgot to trust uplinkLegitimate DHCP/ARP from server path blocked
Port security default maximumDefault max = 1 — phone+PC needs 2
Violation mode confusionOnly shutdown err-disables the port
BPDU Guard on trunkApply to access ports — not core trunks
Sticky MAC not savedcopy run start needed to survive reload

Troubleshooting commands

Layer 2 security verification

show port-security interface GigabitEthernet0/5 show ip dhcp snooping binding show ip arp inspection statistics show spanning-tree interface GigabitEthernet0/10 detail show errdisable recovery

Quick lab checklist

  1. Configure port security sticky + violation shutdown on Fa0/5
  2. Enable DHCP snooping VLAN 10; trust Gi0/1 uplink only
  3. Confirm binding with show ip dhcp snooping binding after PC gets DHCP
  4. Enable ip arp inspection vlan 10
  5. Enable Portfast + BPDU Guard on access range
  6. Test: plug cheap switch into access port → expect err-disable

Related lessons on this site

Continue in this domain

Layer 2 Switching · guide 3 of 4

Sources & further reading

Panagiss CCNAmd

jdepew88 CCNA Notes (markdown)

psaumur CCNA Course Notes

Additional references

This page is an amalgamated study guide synthesized from the markdown sources above, cross-checked against Cisco's official CCNA exam topics. Verify scope before your exam date.