JT
JT Exams
Log inStart Free Trial
SecurityNetwork+

DHCP Snooping and DAI for CompTIA Network+ N10-009

DHCP snooping and Dynamic ARP Inspection (DAI) are Layer 2 security features that prevent common network attacks. CompTIA Network+ N10-009 tests these controls in the Security domain. DHCP snooping prevents rogue DHCP servers and builds a binding table used by DAI to validate ARP packets, stopping ARP poisoning attacks.

7 min
3 sections · 7 exam key points
1 practice questions

DHCP Snooping

DHCP snooping validates DHCP messages on a switch to prevent rogue DHCP servers. Without it, an attacker can run a fake DHCP server that assigns client IPs pointing to the attacker as the default gateway (man-in-the-middle setup). DHCP snooping designates switch ports as trusted or untrusted. Trusted ports: ports connected to legitimate DHCP servers or uplinks — DHCP server responses (OFFER, ACK) are allowed from these ports. Untrusted ports: access ports where end devices connect — DHCP server responses arriving on these ports are dropped.

DHCP snooping binding table: DHCP snooping records every IP address assignment — client MAC address, IP address, VLAN, lease time, and switch port. This table is used by DAI and IP Source Guard. If a client receives 192.168.1.100, the binding table records: port 0/5, VLAN 10, MAC 00:11:22:33:44:55, IP 192.168.1.100.

Dynamic ARP Inspection (DAI)

DAI uses the DHCP snooping binding table to validate ARP packets. When an ARP packet arrives on an untrusted port, DAI checks whether the source IP and MAC in the ARP reply match a valid binding table entry. If the ARP maps a MAC to an IP that DHCP didn't assign to that port, DAI drops the packet — preventing ARP poisoning.

DAI trusted vs untrusted ports: same concept as DHCP snooping — trusted ports (uplinks, servers with static IPs) are not inspected. Static ARP entries can be added to the binding table for devices with static IPs (servers, gateways) that don't appear in DHCP snooping records.

Without DAI: an attacker can send fake ARP replies mapping the default gateway's IP to the attacker's MAC — all traffic intended for the gateway goes to the attacker instead. With DAI: the fake ARP is rejected because the binding table shows the gateway's IP belongs to the gateway's MAC on a specific trusted port.

IP Source Guard

IP Source Guard: another feature using the DHCP snooping binding table. Filters traffic on untrusted ports to allow only traffic from IP addresses that appear in the binding table. Prevents IP spoofing at Layer 2 — a host cannot use a different IP than what DHCP assigned. Complements DAI by enforcing IP address ownership at the access layer.

Key exam facts — Network+

  • DHCP snooping: trusted ports = uplinks/servers; untrusted ports = end devices
  • DHCP snooping blocks rogue DHCP server responses on untrusted ports
  • DHCP snooping binding table: MAC + IP + port + VLAN for each assignment
  • DAI uses the binding table to validate ARP replies — drops ARP poisoning attempts
  • DAI prevents MitM attacks based on ARP spoofing
  • IP Source Guard: enforces that hosts use only their DHCP-assigned IP
  • Trusted ports bypass DHCP snooping and DAI inspection

Common exam traps

DHCP snooping blocks all DHCP traffic

DHCP snooping only blocks DHCP server responses (OFFER, ACK) arriving on untrusted ports. DHCP client messages (DISCOVER, REQUEST) are still allowed on untrusted ports — clients can still request IP addresses normally

Practice questions — DHCP Snooping and DAI

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A network administrator configures DHCP snooping on a switch. Users can still request IP addresses but the legitimate DHCP server's responses never reach clients. What is most likely misconfigured?

A.DHCP snooping is blocking client DISCOVER messages
B.The uplink port to the DHCP server is configured as untrusted
C.DAI is blocking DHCP packets
D.The DHCP server is on the wrong VLAN

Explanation: DHCP snooping blocks DHCP server responses (OFFER, ACK) arriving on untrusted ports. If the port connecting to the legitimate DHCP server (or the uplink to the server's network) is configured as untrusted, DHCP responses from the server are dropped. The fix: configure the uplink to the DHCP server as a trusted port in DHCP snooping.

Frequently asked questions — DHCP Snooping and DAI

What attack does DHCP snooping prevent?

DHCP snooping prevents rogue DHCP server attacks. An attacker connects a device running a DHCP server to the network and responds to client DISCOVER messages before the legitimate server. The attacker's DHCP server assigns IP addresses with the attacker's IP as the default gateway — all client traffic routes through the attacker (man-in-the-middle). DHCP snooping drops these rogue server responses on untrusted ports.

Practice this topic

Network+practice questions

Test yourself on DHCP Snooping and DAI

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

Common Attacks

Network+

Network Hardening Basics

Network+

VLAN Implementation

Network+

DHCP Implementation

Network+