Dynamic ARP Inspection
Lab Objectives
- Enable and configure DHCP Snooping on a switch to build a trusted binding table of DHCP leases.
- Enable Dynamic ARP Inspection (DAI) to validate ARP packets against the DHCP snooping binding table.
- Verify DAI is protecting hosts and troubleshoot a common misconfiguration where uplink is not trusted.
Lab Tasks (Try It Yourself First!)
Complete these tasks WITHOUT looking at the solution below. Use
?andshowcommands to figure it out.
Task 1: Enable DHCP Snooping for VLANs
Enable DHCP Snooping globally and restrict it to VLANs 10, 20, and 30. Ensure the switch will build a DHCP binding database for those VLANs.
Parameters:
- VLANs: 10, 20, 30
Task 2: Trust uplink interface and set access ports as untrusted
Mark the uplink towards R2 as a trusted interface for DHCP Snooping and DAI. Ensure all access ports connecting to end-hosts are untrusted (default behavior).
Parameters:
- Uplink interface to R2: GigabitEthernet0/24 (trust)
- Access ports: GigabitEthernet0/1–0/8 (untrusted)
Task 3: Enable Dynamic ARP Inspection
Enable DAI for VLANs 10, 20, 30 so ARP packets are validated against the DHCP Snooping binding table. Verify DAI counters and show the DHCP Snooping binding table to confirm entries are present.
Parameters:
- DAI applied to VLANs: 10, 20, 30
Think About It: If a host has a static IP configured (not got via DHCP), why might DAI drop that host’s ARP packets even though the IP is legitimate? What are production implications?
Lab Solution
Real-world context: In production networks, DHCP Snooping is used to prevent rogue DHCP servers from issuing addresses to clients. DAI prevents ARP spoofing by checking ARP requests/replies against known DHCP bindings. Together they mitigate common LAN-layer attacks and help maintain IP-to-MAC integrity for hosts that receive addresses via DHCP.
ASCII Topology (base lab topology — exact IPs)
[Internet]
203.0.113.1
|
R1 (Gateway)
Gi0/0: 10.10.10.1
Gi0/1: 10.10.20.1
Gi0/2: 10.10.30.1
/ | \
R2 R3 R4
Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2
Gi0/1: 10.10.40.1 |
/ \ |
S1 S2 S3
/ \ | /
PC1 PC2 PC3 PC4 PC5
IP SCHEME:
- 10.10.10.0/24 — R1-R2 link
- 10.10.20.0/24 — R1-R3 link
- 10.10.30.0/24 — R1-R4 link
- 10.10.40.0/24 — R2-S1 link
- 192.168.1.0/24 — VLAN 10 (Sales)
- 192.168.2.0/24 — VLAN 20 (Engineering)
- 192.168.3.0/24 — VLAN 30 (Management)
- 203.0.113.0/24 — Public/Internet simulation
Task 1 Solution: Enable DHCP Snooping for VLANs 10, 20, 30
What we are doing: Turn on DHCP Snooping so the switch records DHCP lease information per VLAN and can later allow DAI to use that table to validate ARP. Only the specified VLANs will be monitored.
conf t
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
end
What each command does and why it matters:
ip dhcp snooping— enables DHCP Snooping globally on the switch. This begins the process of observing DHCP traffic and building a binding table. Without global enablement, per-VLAN settings are ignored.ip dhcp snooping vlan 10,20,30— restricts DHCP Snooping to VLANs 10, 20, and 30. This reduces resource usage and ensures only relevant VLANs are protected.
Verify:
show ip dhcp snooping
Expected output (representative):
Switch# show ip dhcp snooping
IP DHCP Snooping is enabled
DHCP snooping is configured on following VLANs:
10,20,30
DHCP snooping is operational on following interfaces:
(none trusted yet)
DHCP snooping trust state and rate limit configured on:
(none)
DHCP snooping database agent is not configured
Task 2 Solution: Trust uplink and ensure access ports are untrusted
What we are doing: Mark the uplink to R2 as trusted because the DHCP server (or DHCP relay) sits beyond that link. Access ports to PCs must remain untrusted so rogue DHCP servers on access ports cannot issue leases.
conf t
interface GigabitEthernet0/24
description Uplink-to-R2
ip dhcp snooping trust
exit
interface range GigabitEthernet0/1 - 0/8
description Access-ports-to-hosts
no ip dhcp snooping trust
exit
end
What each command does and why it matters:
interface GigabitEthernet0/24/ip dhcp snooping trust— marks the uplink as trusted so DHCP server responses (DHCPOFFER/DHCPACK) are accepted from this port and recorded. If the uplink is not trusted, real DHCP offers could be dropped.interface range GigabitEthernet0/1 - 0/8/no ip dhcp snooping trust— explicitly ensures access ports are untrusted. The default is untrusted, but setting explicitly prevents accidental trust inheritance and documents intent.
Verify:
show ip dhcp snooping interface
Expected output (representative):
Switch# show ip dhcp snooping interface
VLAN Interface Trusted Rate limit (pps)
---- --------- ------- ----------------
10 Gi0/24 yes unlimited
20 Gi0/24 yes unlimited
30 Gi0/24 yes unlimited
10 Gi0/1 no 0
10 Gi0/2 no 0
... (access ports)
Task 3 Solution: Enable Dynamic ARP Inspection (DAI) for VLANs 10, 20, 30
What we are doing: Turn on DAI on the same VLANs. DAI will consult the DHCP Snooping binding table to determine whether ARP entries are valid. We also trust the uplink for ARP inspection.
conf t
ip arp inspection vlan 10,20,30
interface GigabitEthernet0/24
ip arp inspection trust
exit
end
What each command does and why it matters:
ip arp inspection vlan 10,20,30— enables DAI on the specified VLANs. DAI will now intercept ARP packets and validate the sender IP/MAC against the DHCP Snooping binding table for that VLAN.interface GigabitEthernet0/24/ip arp inspection trust— marks the uplink as trusted so legitimate ARP traffic from upstream devices (e.g., router or DHCP server) is not inspected/dropped. Access ports remain untrusted so ARP spoof attempts can be blocked.
Verify DAI state and counters:
show ip arp inspection
Expected output (representative):
Switch# show ip arp inspection
Global arp inspection is enabled
Interface trust list:
GigabitEthernet0/24
VLAN list:
10,20,30
Statistics:
Packets input: 100
Packets output: 99
Drop count: 1
Retry count: 0
Verify DHCP Snooping binding table (DAI uses this table):
show ip dhcp snooping binding
Expected output (example entry):
Switch# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
00aa.bbcc.ddee 192.168.1.10 86394 dhcp 10 GigabitEthernet0/1
00aa.bbcc.ddff 192.168.2.11 86394 dhcp 20 GigabitEthernet0/2
If an ARP packet is dropped, you can see details:
show ip arp inspection drop
Expected sample:
Switch# show ip arp inspection drop
Time: 00:12:34
VLAN: 10
Src-MAC: 00aa.bbcc.ddee
Src-IP: 192.168.1.200 (not in binding table)
Interface: GigabitEthernet0/3
Reason: IP-MAC mismatch
Troubleshooting Scenario
Scenario: End-host ARP entries are being dropped; PC1 cannot communicate with its gateway
Symptom: Ping from PC1 to gateway (192.168.1.1) fails. show ip arp inspection drop shows drops for PC1’s MAC/IP.
Your task: Find and fix the issue.
Hint: Check whether the uplink interface is trusted for both DHCP Snooping and ARP Inspection.
Solution:
- Likely cause: The uplink (GigabitEthernet0/24) is not trusted for DHCP Snooping, so the switch never built a binding entry for PC1. DAI then drops PC1’s ARP because no DHCP binding exists.
- Fix: Trust the uplink for DHCP Snooping and DAI:
conf t
interface GigabitEthernet0/24
ip dhcp snooping trust
ip arp inspection trust
end
Why this works: DHCP Snooping trust allows DHCP server messages to populate the binding table. Once the entry exists, DAI has a valid reference and will allow ARP for that host.
Verification Checklist
-
show ip dhcp snoopingshows DHCP Snooping enabled and VLANs 10,20,30 configured. -
show ip dhcp snooping interfaceshows GigabitEthernet0/24 trusted. -
show ip dhcp snooping bindingcontains expected host entries. -
show ip arp inspectionshows DAI enabled and GigabitEthernet0/24 trusted. -
show ip arp inspection drophas zero unexpected drops for legitimate DHCP clients.
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| DHCP clients do not get addresses | Uplink port not trusted for DHCP snooping | Configure ip dhcp snooping trust on uplink |
| Legitimate ARP is dropped for a host with static IP | Host IP not in DHCP binding table (static IP) | Add static entry to ARP ACL (out of scope) or avoid DAI on that VLAN; in production use DHCP or static ARP ACLs |
| No DHCP bindings visible | DHCP Snooping not enabled globally or wrong VLANs configured | ip dhcp snooping and ip dhcp snooping vlan X |
Tip: Think of DHCP Snooping as the switch’s “lease registry” and DAI as an ARP bouncer that checks IDs against that registry. If the registry doesn’t have the entry, the bouncer refuses entry.
Challenge Task
Protect VLANs 10 and 20 with rate-limiting for DHCP Snooping (limit DHCP offers per second on the uplink) and create a static ARP ACL to permit a management host with a static IP to continue communicating despite DAI. (No step-by-step guidance — use ? and the show commands to discover applicable commands.)