L2 Security Challenge

Lab Objectives

• Deploy Layer-2 security across the access layer: enable DHCP Snooping, Dynamic ARP Inspection (DAI), and Port Security on all access switches.
• Explain how these features protect against rogue DHCP servers, ARP spoofing, and MAC flooding in a small campus topology.
• Verify the configuration using show commands and a simple troubleshooting exercise.

Tip: Think of DHCP Snooping as a bouncer who lets only authorized DHCP servers hand out addresses. DAI is the bouncer's second check — it verifies that the ARP claims match the DHCP assignments.

Topology (base lab — exact IPs shown)

                    [Internet]
                   203.0.113.1
                        |
                   R1 (Gateway)
                  Gi0/0: 10.10.10.1
                  Gi0/1: 10.10.20.1
                  Gi0/2: 10.10.30.1
                  /     |     \
               R2      R3      R4
   Gi0/0: 10.10.10.2   |   Gi0/0: 10.10.30.2
   Gi0/1: 10.10.40.1   |
              /  \      |
           S1    S2    S3
          /  \    |   /  \
        PC1  PC2 PC3 PC4  PC5

IP scheme used in this lab:

• 10.10.10.0/24 — R1–R2 link
• 10.10.20.0/24 — R1–R3 link
• 10.10.30.0/24 — R1–R4 link
• 10.10.40.0/24 — R2–S1 link
• VLAN 10 (Sales): 192.168.1.0/24
• VLAN 20 (Engineering): 192.168.2.0/24
• VLAN 30 (Management): 192.168.3.0/24
• Public/Internet simulation: 203.0.113.0/24

Lab Tasks (Try It Yourself First!)

Complete these tasks WITHOUT looking at the solution below. Use ? and show commands to figure it out.

Task 1: Enable DHCP Snooping on access switches (S1, S2, S3)

Configure DHCP snooping globally and enable it for VLANs 10, 20, 30. Mark uplink/trunk interfaces toward routers as trusted so legitimate DHCP messages are allowed. Do not trust access ports to hosts.

Task 2: Enable Dynamic ARP Inspection (DAI)

Enable DAI for VLANs 10, 20, 30 and ensure the switch uses DHCP snooping bindings to validate ARP packets. Mark the same uplink/trunk interfaces as trusted for ARP inspection.

Task 3: Configure Port Security on all access ports

• On S1, configure the switch ports connected to PCs with port-security using a static MAC for the router-facing link where applicable, or find and plug in the MAC via show commands and apply a static entry.
• On S2 and S3, configure port-security with sticky MAC learning for PC access ports so learned MACs are saved in the running-config.

Think About It: Why must uplink/trunk interfaces to routers be configured as "trusted" for DHCP snooping and DAI, while access ports remain "untrusted"?

---

Lab Solution

Task 1 Solution: Enable DHCP Snooping on access switches (S1, S2, S3)

What we are doing: We activate DHCP Snooping globally on each access switch, restrict it to the VLANs in use, and mark uplink/trunk ports toward routers as trusted. This prevents rogue DHCP servers on access ports from issuing leases.

Commands for S1 (repeat similarly on S2 and S3, adjusting interface names for your environment):

configure terminal
ip dhcp snooping
ip dhcp snooping vlan 10,20,30

interface GigabitEthernet0/1
 description Uplink to R2
 ip dhcp snooping trust
exit

interface range GigabitEthernet0/2 - 3
 description Access ports to PCs
 switchport mode access
 switchport access vlan 10
 exit
end

What just happened:

• ip dhcp snooping — Enables DHCP snooping globally on the switch (it starts tracking DHCP messages).
• ip dhcp snooping vlan 10,20,30 — Restricts DHCP snooping to the VLANs you want protected (saves resources and scope).
• interface ... ip dhcp snooping trust — Marks the uplink/trunk as trusted so legitimate DHCP server responses can traverse that port.
• Access ports are left as untrusted by default, so DHCP server offers arriving on them will be dropped.

Verify:

show ip dhcp snooping

Expected output (example excerpt):

Switch# show ip dhcp snooping
DHCP snooping is enabled
DHCP snooping is enabled for the following VLANs:
10,20,30
DHCP snooping is operational
Configured DHCP snooping trust on the following interfaces:
  GigabitEthernet0/1

Also check bindings learned (initially none until clients request DHCP):

show ip dhcp snooping binding

Expected output (if clients obtained DHCP):

Switch# show ip dhcp snooping binding
MAC                IP Address       VLAN  Interface
aabb.cc00.0101     192.168.1.10     10    Gi0/2
1122.3344.5566     192.168.2.20     20    Gi0/3

---

Task 2 Solution: Enable Dynamic ARP Inspection (DAI)

What we are doing: DAI inspects ARP packets and compares them to DHCP snooping bindings (or a static ARP ACL) to prevent ARP spoofing. We enable the feature for the same VLANs and make uplinks trusted.

Commands for S1:

configure terminal
ip arp inspection vlan 10,20,30

interface GigabitEthernet0/1
 description Uplink to R2
 ip arp inspection trust
exit

end

What just happened:

• ip arp inspection vlan 10,20,30 — Turns on DAI for those VLANs so ARP traffic will be validated.
• ip arp inspection trust on the uplink — Allows legitimate ARP messages from the router/legitimate devices to pass; untrusted access ports will have ARP packets validated against the snooping binding table.

Verify:

show ip arp inspection

Expected output (example excerpt):

Switch# show ip arp inspection
Global ARP inspection is enabled
Configured VLANs: 10,20,30
Configured inspect trust interfaces:
  GigabitEthernet0/1

Check that bindings used by DAI exist (same as DHCP snooping):

show ip dhcp snooping binding

If the DHCP snooping binding is present, DAI can validate ARP entries.

---

Task 3 Solution: Configure Port Security on all access ports

What we are doing: We apply port-security to access ports connected to PCs. On S1 we will illustrate how to create a static MAC entry for an uplink (if required), and on S2/S3 we will enable sticky learning so the switch learns and retains host MACs.

First, find the MAC of the device you plan to statically bind (if needed). Example — find MAC of router interface or existing host:

show interface GigabitEthernet0/1

Check the output for the MAC (address shown as Hardware is ...). Or use:

show mac address-table interface GigabitEthernet0/1

Now configure static port-security (example on S1 for interface Gi0/2 if you obtained a MAC of a host or router). Replace xxxx.xxxx.xxxx with the discovered MAC:

configure terminal
interface GigabitEthernet0/2
 description PC1 - Sales
 switchport mode access
 switchport access vlan 10
 switchport port-security
 switchport port-security mac-address xxxx.xxxx.xxxx
 switchport port-security maximum 1
 switchport port-security violation restrict
end

On S2 and S3, configure sticky learning on the PC access ports:

configure terminal
interface range GigabitEthernet0/2 - 4
 description Access ports to PCs
 switchport mode access
 switchport access vlan 20
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security maximum 2
 switchport port-security violation restrict
end

What just happened:

• switchport port-security — Enables per-port port-security.
• switchport port-security mac-address <mac> — Statically binds a specific MAC to the port (prevents other MACs).
• switchport port-security mac-address sticky — Learns the MACs dynamically and adds them to running-config (useful for user devices).
• maximum — Limits the number of MACs allowed on the port.
• violation restrict — Specifies the action (restrict logs and drops violating frames; other options include shutdown).

Verify:

show port-security interface GigabitEthernet0/2

Expected output (example excerpt):

Switch# show port-security interface GigabitEthernet0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
SecureStatic Address Count : 1
Configured Address Count   : 1
Max MAC Addresses          : 1
Current MAC Address        : xxxx.xxxx.xxxx

List all secure MACs (sticky/static):

show port-security address

Expected output:

Switch# show port-security address
MAC Address       VLAN  Type        Ports
xxxx.xxxx.xxxx    10    SecureStatic Gi0/2
aabb.cc00.0101    20    SecureSticky Gi0/3

---

Troubleshooting Scenario

Scenario: DHCP IPs assigned but client cannot reach gateway

Symptom: PC1 has an IP in 192.168.1.0/24 but cannot ping its gateway or hosts in other VLANs. Your task: Find and fix the issue. Hint: Check whether the uplink/trunk is trusted for DHCP snooping and ARP inspection. Solution: On the access switch, verify show ip dhcp snooping and show ip arp inspection. If the uplink is not trusted, the DHCP responses or ARP replies may be blocked. Configure:

interface GigabitEthernet0/1
 ip dhcp snooping trust
 ip arp inspection trust

Then test connectivity again. If port-security is set too strictly (e.g., incorrect static MAC), adjust or remove the static entry or set sticky learning and reconnect the host.

Verification Checklist

• DHCP Snooping enabled globally and for VLANs 10,20,30 on S1/S2/S3.
• Uplink interfaces to routers marked ip dhcp snooping trust and ip arp inspection trust.
• DAI enabled for VLANs 10,20,30 and using DHCP snooping bindings.
• Port-security configured on all access ports (static where required, sticky on others).
• show commands confirm bindings and secure MAC addresses.

Common Mistakes

Symptom	Cause	Fix
Clients receive DHCP IP but cannot reach default gateway	Uplink/trunk not configured ip dhcp snooping trust or ip arp inspection trust	Mark the uplink as trusted on the access switch
ARP-related connectivity issues after enabling DAI	No DHCP snooping bindings available (clients have static IPs)	Add static ARP ACLs or populate DHCP snooping bindings via DHCP or static entries
Port-security immediately shuts down port when PC plugs in	Violation mode = shutdown or max MACs set too low	Use restrict mode for tests or increase maximum / use sticky learning
Sticky MACs are not persistent after reload	Learned sticky MACs in running-config only	Save the running-config to startup-config (write memory) after sticky learning

Warning: On production gear, enabling DAI without valid DHCP snooping bindings (for statically assigned hosts) may block legitimate ARP traffic. Plan bindings or static entries accordingly.

Challenge Task

Extend this lab to a small campus: Configure the distribution switch to perform centralized DHCP (on a router or server) and ensure DHCP Snooping and DAI are scaled to support multiple VLANs (e.g., 5 VLANs). Also configure a secure management VLAN (30) with SSH access limited only to a known management workstation using port-security static MAC binding. No step-by-step guidance — design the VLANs, trunking, trusted ports, and port-security policy yourself.

Key Takeaway: DHCP Snooping, DAI, and Port Security work together — DHCP Snooping builds trusted bindings, DAI uses those bindings to validate ARP, and Port Security limits MAC movements — together these features dramatically reduce common Layer-2 attacks in a campus network.