DHCP and ARP are foundational protocols built on absolute trust. Attackers exploit this by deploying rogue DHCP servers or poisoning ARP caches. The 'Layer 2 Security Trinity' (Snooping, DAI, IPSG) uses the DHCP binding table to enforce integrity.
DHCP Snooping acts like a firewall for DHCP. It categorizes ports as 'trusted' (uplinks to real servers) or 'untrusted' (user ports). It drops rogue DHCP offers and builds a binding table mapping IP, MAC, VLAN, and Port.
💡 Pro-tip: The DHCP Snooping binding table is the single source of truth. DAI and IP Source Guard rely entirely on this table to validate ARP and IP traffic.
This table proves that the device on Gi0/1 legitimately received 192.168.1.50 from the authorized DHCP server, creating the baseline for further validation.
Dynamic ARP Inspection (DAI) intercepts all ARP packets and drops them if the IP-MAC pair doesn't match the Snooping table, killing ARP poisoning. IP Source Guard (IPSG) applies a hardware filter to the port, dropping any traffic that doesn't match the assigned IP.
⚠️ If you enable DAI without enabling DHCP Snooping first, or without configuring static entries for servers with static IPs, you will instantly drop all network traffic and cause a massive outage.
| Feature | Validates | Prevents |
|---|---|---|
| DHCP Snooping | DHCP Offers | Rogue DHCP Servers |
| DAI | ARP Packets | ARP Poisoning / MITM |
| IPSG | IP Source Address | IP Spoofing |
Verify exercises to earn ★ 220 XP and unlock next lab level.