CCNP SWITCH: DHCP Snooping and Dynamic ARP Inspection

DHCP Snooping

An attacker could connect a rogue DHCP server onto a network replying to client DHCP requests that designates an incorrect default gateway and DNS severs, leading to a man-in-the-middle attack enabling the hacker to gain sensitive information such as usernames and passwords. DHCP Snooping can prevent this by trusting the switch port(s) a legitimate DHCP server is connect to, with all other switch ports defined as un-trusted. An un-trusted port is blocked from sending any DHCP server responses and can only request and IP address.

DHCP snooping builds a binding table which contains the client MAC address, IP address, lease time, binding type, VLAN number and port ID recorded as clients request a DHCP address when plugged into an un-trusted port. All ports are un-trusted unless specifically configured as trusted.

Enable DHCP Snooping and enable on the VLAN

Switch (config)# ip dhcp snooping
Switch (config)# ip dhcp snooping vlan 10

Configure the trusted interfaces

Activated on switch uplinks and Server access ports. Only the DHCP server connected to a trusted interface can respond to a DHCP request

Switch (config)# interface gigabitethernet 0/1
Switch (config-if)# ip dhcp snooping trust

Enable DHCP rate limit on all un-trusted interfaces

To prevent an attacker from leasing every address in the DHCP pool

Switch (config)# interface range fastethernet 0/1-24
Switch (config)# ip dhcp snooping limit rate 5

Show Commands

Switch# show ip dhcp snooping
Switch# show ip dhcp snooping binding

Dynamic ARP Inspection (DAI)

A malicious user can spoof MAC addresses to poison the ARP tables of other devices on the same VLAN with the attacker’s MAC address using tools such as ettercap, dsniff etc. When enabled, Dynamic ARP Inspection (DAI) helps to prevent this type of man-in-the-middle attack by not relaying these gratuitous ARP replies to the other ports. DAI intercepts all ARP requests and all replies on un-trusted ports, each intercepted packet is checked for valid IP to MAC bindings in the DHCP Snooping table.

Enable DAI on VLAN 10

Switch (config)# ip arp inspection vlan 10

Configure the switch uplink interface as trusted

Switch (config)# interface gigabitethernet 0/1
Switch (config-if) ip arp inspection trust

A feature of DAI is monitoring the number of ARP packets per second an interface can send, the default is 15. When a malicious user performs a network scan it will send ARP requests for each IP address in the subnet. Once the switch receives the 16th ARP request the threshold will be exceeded and the interface will errdisable (shutdown).

Configure the ARP Limit Rate

If required the limit rate can be tweaked to increase/decrease. The default of 15 should be acceptable for most computers.

Switch (config)# interface range fastethernet 0/1-24
Switch (config-if)# ip arp inspection limit rate 100

Errdisable auto recovery

By default when an interface errdisables the administrator has to resolve the issue by bouncing the interface. Errdisable can be configured for ARP Inspection (amongst many others) to re-enable the interface after a certain period.

Switch (config)# errdisable recovery cause arp-inspection
Switch (config)# errdisable recovery interval 30


For network devices using a static IP rather than an address assigned from a DHCP server there will be no valid entry in the DHCP Snooping binding table, in this instance an ARP ACL can be configured with a map for IP to MAC.

Create the ARP ACL and map IP to MAC for all devices with a static IP address

Switch (config)# arp access-list ACL_ARP_FILTER

Switch (config-arp-nacl)# permit ip host mac host 0000.0000.0001

Switch (config-arp-nacl)# permit ip host mac host 0000.0000.0002

Enable the ARP inspection filter ACL on the VLAN

Switch (config)# ip arp inspection filter ACL_ARP_FILTER vlan 10


One thought on “CCNP SWITCH: DHCP Snooping and Dynamic ARP Inspection

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s