Objective
Mitigate common Layer 2 attacks on a switch by configuring DHCP Snooping (to block rogue DHCP servers) and Dynamic ARP Inspection (to prevent ARP poisoning/Man-in-the-Middle attacks).
Lab Topology
Task 1 - Configure DHCP Snooping
Enable DHCP Snooping globally and on VLAN 10. Configure GigabitEthernet0/1 (the port connected to the legitimate DHCP server) as a trusted interface.
SW1(config)# ip dhcp snooping SW1(config)# ip dhcp snooping vlan 10 SW1(config)# interface gigabitEthernet 0/1 SW1(config-if)# ip dhcp snooping trust
Task 2 - Configure Dynamic ARP Inspection (DAI)
Enable DAI on VLAN 10 to intercept and validate ARP requests using the DHCP Snooping binding table.
SW1(config)# ip arp inspection vlan 10
Task 3 - Verification
Verify that the DHCP Snooping database is learning leases and DAI is active.
SW1# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 Insertion of option 82 is enabled Interface Trusted Rate limit (pps) ------------------- ------- ---------------- GigabitEthernet0/1 yes unlimited SW1# show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- ------------------ 00:10:7B:3E:A1:B2 192.168.10.15 86400 dhcp-snooping 10 FastEthernet0/1 SW1# show ip arp inspection Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan Configuration Operation Logging Bad ARPs ---- ------------- --------- ------- -------- 10 Enabled Active Enabled 0