Cisco Switch : Dynamic ARP Inspection

Dynamic ARP inspection, starts with a man in the middle attack, with the rogue user and PC sending a gratuitous ARP to say the MAC address for your default gateway is this, then the user accessing anything using the default gateway is sending all its traffic to the rogue users pc, which is then copying all the packets before sending it on to its destination.


DHCP snooping must be enabled, for DAI to be enabled.


Here is how to configure DAI:

tpw-sw1(conf)# ip arp inspection vlan 10
tpw-sw1(conf)# int gi0/1
tpw-sw1(config-int)#ip arp inspection trust

How to Check and Verify DAI:

tpw-sw1# show ip arp inspection

Cisco Switch : DHCP Snooping

DHCP seems like a seemingly innocent, but common protocol, that can be used against our network. Since we know the DHCP discovery packet is a broadcast packet, just looking for a DHCP server and the host doesn’t care what DHCP server sends a DHCP OFFER back, it will accept the first offer, the DHCP offer includes information such as IP address, Subnet Mask, Default Gateway, DNS information. What if the first offer that is returned is a Rouge or Malicious DHCP server? Does that mean all traffic from that host using the Rogue DHCP servers gateway could be looking at all of the traffic passing through it? Yes! We can prevent this from happening with a feature called DHCP Snooping.

DHCP Snooping is going to snoop or listen into DHCP traffic to make sure that DHCP conversations go to the correct interface and allow that traffic to pass, otherwise it will be dropped. The interfaces to a known good DHCP server will be ‘trusted’ and all other interfaces will be untrusted, therefor the switch will know if DHCP conversations are happening on an untrusted interface then the traffic will be dropped and the interface will be put into err-disabled mode.

By default the switch considers all ports untrusted. We have to enable DHCP snooping globally, then trust at the interface level. IP ARP inspection and IP source-guard are dependent on DHCP snooping being enabled.

Enabled DHCP Snooping

tpw-sw1(config)#ip dhcp snooping


Enable DHCP Snooping on a VLAN

tpw-sw1(config)#ip dhcp snooping vlan 10


Trust Interface with DHCP server on it

tpw-sw1(config)#int gigabitEthernet 1/1

tpw-sw1(config-if)#ip dhcp snooping ?

  information  DHCP Snooping information

  limit        DHCP Snooping limit

  trust        DHCP Snooping trust config

tpw-sw1(config-if)#ip dhcp snooping trust


DHCP option 82

When packets come in on an untrusted port with option 82 set, those packets are not dropped. The switch will insert its own DHCP option 82 information (the switches MAC address), and when the packet is returned it will make sure its own DHCP option 82 information is in the reply if it is, it will remove its option 82 information and forward the packet normally, if not it will drop it.  This check is enabled by default.

Turn off the validity check

tpw-sw1(config)#no ip dhcp relay information check


Turn on Option 82

tpw-sw1(config)#ip dhcp snooping information option


Show Commands

tpw-sw1#sh ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:


DHCP snooping is operational on following VLANs:


DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted    Relay Info policy     Rate limit (pps)

------------------------     -------    -----------------     ----------------

GigabitEthernet1/1        yes                               unlimited