Layer 2 Security (Port Security, DHCP Snooping, DAI) Explained for CCNA

Firewalls and intrusion detection systems protect the perimeter, but your switch infrastructure has its own set of vulnerabilities that operate entirely at Layer 2, below where most perimeter defenses look. An attacker with physical or logical access to the network can flood the CAM table to force the switch into hub behavior, set up a rogue DHCP server to redirect traffic through their machine, or send fake ARP replies to intercept communications. Three Cisco switch features directly address these attacks: port security, DHCP snooping, and Dynamic ARP Inspection. CCNA tests all three including their configuration syntax and violation modes.

8 min

3 sections · 5 exam key points

Port security

Port security restricts which MAC addresses can use a switch port. It protects against CAM table overflow attacks, where an attacker floods the switch with frames containing random source MACs until the table is full. Once the table is full, the switch cannot learn new legitimate MACs and starts flooding all traffic like a hub, allowing the attacker to capture frames meant for other hosts.

Configuring port security sets a maximum number of allowed MAC addresses on the port. You can manually specify which MACs are allowed (static), or use sticky learning which automatically remembers the first MAC seen and makes it permanent. If a violation occurs, the switch responds based on the configured violation mode.

Violation modes define what happens when an unauthorized MAC appears. Shutdown is the default: the port immediately goes into err-disabled state and all traffic stops. Restrict drops frames from the unauthorized MAC, increments a counter, and sends a syslog message, but the port stays up. Protect silently drops unauthorized frames with no counter increment and no log. To recover an err-disabled port, enter shutdown then no shutdown on the interface, or configure errdisable recovery.

DHCP snooping and Dynamic ARP Inspection

DHCP snooping prevents rogue DHCP servers from responding to clients. A rogue DHCP server can hand out a fake default gateway, pointing all clients to the attacker's machine for a perfect man-in-the-middle position. DHCP snooping classifies each port as trusted or untrusted. Trusted ports (uplinks to legitimate servers or distribution switches) may pass DHCP server responses. Untrusted ports (client-facing) drop any DHCP server messages. A DHCP Offer arriving on an untrusted port is dropped immediately.

DHCP snooping also builds a binding table that maps each client's MAC address to the IP it was assigned, the VLAN, and the port. This table is used by Dynamic ARP Inspection.

Dynamic ARP Inspection (DAI) stops ARP spoofing attacks where an attacker sends gratuitous ARP replies claiming to be the default gateway or another host. DAI intercepts ARP packets on untrusted ports and validates the sender's MAC and IP against the DHCP snooping binding table. If the MAC-IP pair in the ARP does not match a binding table entry, the packet is dropped. ARP packets on trusted ports are forwarded without inspection. DAI requires DHCP snooping to be enabled and the binding table to be populated.

How to choose the correct answer

Attack mitigation matching: CAM overflow attack = port security with MAC limit. Rogue DHCP server = DHCP snooping with trusted/untrusted port classification. ARP spoofing / man-in-the-middle via ARP = Dynamic ARP Inspection.

Violation mode decision: need to preserve port operation but drop bad traffic = Restrict or Protect. Need to stop all traffic immediately and alert = Shutdown (default).

DHCP snooping trust: uplinks to distribution switches and DHCP servers = trusted. Client-facing access ports = untrusted. Marking client ports as trusted defeats the purpose.

DAI dependency: DAI requires DHCP snooping enabled first. It validates against the snooping binding table. Hosts with static IPs can be covered with ARP ACLs instead.

RADIUS vs TACACS+ (for 802.1X): RADIUS encrypts password only, open standard, used for user network access. TACACS+ encrypts entire payload, Cisco-proprietary, used for device administration.

Layer 2 security features

Feature	Attack mitigated	Key concept
Port security	CAM overflow, unauthorized devices	Max MACs per port, violation modes: shutdown/restrict/protect
DHCP snooping	Rogue DHCP servers	Trusted = uplinks, untrusted = client ports, drops server messages on untrusted
DAI	ARP spoofing / man-in-the-middle	Validates ARP against DHCP snooping binding table on untrusted ports
802.1X	Unauthorized network access	Authenticates device before port forwards any traffic

Key exam facts — CCNA

Port security violations: Shutdown = err-disabled (default). Restrict = drop + log. Protect = silent drop.

DHCP snooping: trusted = uplinks. Untrusted = client ports. Server messages dropped on untrusted ports.

DAI requires DHCP snooping. Uses binding table to validate ARP MAC-IP pairs.

RADIUS: ports 1812/1813. Encrypts password only. Used for 802.1X user access.

TACACS+: Cisco-proprietary. Encrypts entire payload. Used for device administration access.

Common exam traps

DHCP snooping blocks all DHCP traffic on untrusted ports.

DHCP snooping blocks only DHCP server messages (Offer, Ack) on untrusted ports. Client messages (Discover, Request) still flow from untrusted ports. The goal is to prevent rogue servers, not prevent clients from getting addresses.

DAI can work independently without DHCP snooping.

DAI validates ARP packets against the DHCP snooping binding table. Without DHCP snooping enabled and a populated binding table, DAI has nothing to validate against and cannot function correctly for dynamic hosts. Static ARP ACLs can cover hosts with static IPs.

RADIUS and TACACS+ are interchangeable for all purposes.

RADIUS encrypts only the password and is the standard for 802.1X network access authentication. TACACS+ encrypts the entire payload and separates authentication, authorization, and accounting into discrete steps, making it better suited for device administration where granular command authorization is needed.