Overview
Access-layer switches are the first line of defense against rogue DHCP, ARP spoofing, unauthorized MACs, and STP manipulation. CCNA covers port security, DHCP snooping, DAI, and BPDU Guard.

Port security — limit MAC addresses on access ports.
Supplementary figure from Panagiss CCNAmd
Layer 2 threat model
- Port security — limit MAC addresses per access port
- DHCP snooping — block rogue DHCP servers
- Dynamic ARP Inspection (DAI) — validate ARP against DHCP bindings
- BPDU Guard — shut access ports that receive spanning-tree BPDUs
802.1X is also an access-layer control (authenticate before normal VLAN access). CCNA may reference it conceptually; port security + DHCP snooping + DAI are the deeper configuration topics.
Port security
Port security restricts which source MAC addresses may send traffic into an access port. Two common production goals:
- Limit MAC count — stop users from connecting hubs, rogue APs, or small switches behind their desk
- Sticky learning — dynamically learn authorized MACs and persist them to config

Port security limits how many MAC addresses may transmit on an access port.
Supplementary figure from Panagiss CCNAmd
Locking a port to a single static MAC is easy to spoof at Layer 2. Port security's main value is controlling how many devices attach — not perfect identity proof.
Violation modes
| Mode | Behavior |
|---|---|
| shutdown (default) | Err-disable the port — all traffic blocked until recovery |
| protect | Drop violating frames silently |
| restrict | Drop + log + increment violation counter |
interface GigabitEthernet0/5 switchport mode access switchport access vlan 20 switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security violation shutdown
Maximum MAC addresses: Default is 1. IP phone + PC behind the phone typically needs maximum 2 (phone MAC + PC MAC on the same access port).
Recovery from err-disable
- Remove the offending device
shutdownthenno shutdownthe interface
Or enable auto-recovery:
errdisable recovery cause psecure-violation errdisable recovery interval 600
show port-security show port-security interface GigabitEthernet0/5 show port-security address show errdisable recovery
DHCP snooping
A rogue DHCP server on an access VLAN can hand out attacker-controlled gateways and DNS — classic man-in-the-middle. DHCP snooping builds a binding table (MAC ↔ IP ↔ VLAN) by inspecting DHCP messages and drops server responses that arrive on untrusted ports.
Trusted vs untrusted
- Trusted ports: Uplinks to legitimate DHCP servers or other switches (where valid server replies enter)
- Untrusted ports: End-user access ports — DHCP server messages are dropped
ip dhcp snooping ip dhcp snooping vlan 10,20 ! interface GigabitEthernet0/1 description Uplink to core / DHCP server path ip dhcp snooping trust
Enable DHCP snooping per VLAN — not globally enough by itself. Every switch in the VLAN path needs consistent trusted/untrusted marking on uplinks vs access ports.
Exam scenario
PC receives IP 10.10.10.50 from rogue server with gateway 10.10.10.99 (attacker). With snooping enabled, the rogue DHCPOFFER/ACK on an untrusted access port is dropped. Only the trusted server path succeeds.
show ip dhcp snooping show ip dhcp snooping binding
Dynamic ARP Inspection (DAI)
ARP poisoning maps a victim's IP to the attacker's MAC — intercepting traffic at Layer 2. DAI compares ARP packets against the DHCP snooping binding table. If sender IP/MAC/VLAN don't match a valid binding, the ARP packet is dropped.
DAI requires DHCP snooping on the same VLANs. Without the binding table, DAI has nothing to validate against.
DAI is not performed on trusted ports — configure trust on uplinks where ARP from legitimate routers is expected.
ip arp inspection vlan 10,20 ! interface GigabitEthernet0/1 ip arp inspection trust ip dhcp snooping trust
Non-DHCP clients
Hosts with static IP need manual ARP ACLs or static DHCP snooping bindings — otherwise DAI drops their ARP. CCNA labs usually assume DHCP clients.
show ip arp inspection show ip arp inspection statistics show ip dhcp snooping binding
BPDU Guard
BPDU Guard protects access ports configured with Portfast. If a user connects an unmanaged switch (or attacker) that sends BPDUs, the port err-disables instead of participating in STP and potentially becoming a loop entry point.
interface GigabitEthernet0/10 spanning-tree portfast spanning-tree bpduguard enable ! spanning-tree portfast bpduguard default
| Feature | Protects against | Where to apply |
|---|---|---|
| BPDU Guard | Rogue switch on access port | Access ports with Portfast |
| Root Guard | Unexpected root bridge | Distribution/core facing access |
| Port security | MAC flooding / extra devices | User access ports |
| DHCP snooping | Rogue DHCP | All access VLANs |
| DAI | ARP spoofing/poisoning | VLANs with DHCP snooping |
Defense-in-depth workflow
Deploy controls in this order on a typical access switch:
- Port security on all user access ports (
maximum 1or2for phone+PC) - Portfast + BPDU Guard on those same access ports
- DHCP snooping for user VLANs — trust only uplinks
- DAI on the same VLANs — trust uplinks toward routers
- Verify bindings before enabling DAI in production
Traffic flow on an untrusted access port: frames hit port security first (MAC limit), DHCP server replies are filtered by snooping, then ARP is validated by DAI against the binding table. A BPDU on a Portfast port triggers BPDU Guard err-disable.
Exam checklist
| Trap | Detail |
|---|---|
| DAI without DHCP snooping | DAI won't work — binding table missing |
| Forgot to trust uplink | Legitimate DHCP/ARP from server path blocked |
| Port security default maximum | Default max = 1 — phone+PC needs 2 |
| Violation mode confusion | Only shutdown err-disables the port |
| BPDU Guard on trunk | Apply to access ports — not core trunks |
| Sticky MAC not saved | copy run start needed to survive reload |
Troubleshooting commands
show port-security interface GigabitEthernet0/5 show ip dhcp snooping binding show ip arp inspection statistics show spanning-tree interface GigabitEthernet0/10 detail show errdisable recovery
Quick lab checklist
- Configure port security sticky + violation shutdown on Fa0/5
- Enable DHCP snooping VLAN 10; trust Gi0/1 uplink only
- Confirm binding with
show ip dhcp snooping bindingafter PC gets DHCP - Enable
ip arp inspection vlan 10 - Enable Portfast + BPDU Guard on access range
- Test: plug cheap switch into access port → expect err-disable