Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

6.7.1. DHCP Snooping and DAI

The Attack (DHCP Spoofing): An attacker plugs in a laptop running a DHCP server. When your users' PCs send DHCP Discover broadcasts, the attacker's laptop responds faster than your legitimate server. The user gets an IP address from the attacker—with the attacker's IP as the default gateway. Now all the user's traffic flows through the attacker's laptop before going to the real network. Passwords, emails, everything—captured.

The Defense (DHCP Snooping): DHCP Snooping divides ports into trusted and untrusted. Only trusted ports (uplinks to your infrastructure) can send DHCP server responses. If an untrusted port sends a DHCP Offer or DHCP Ack, the switch drops it.

As a bonus, DHCP Snooping builds a binding table: a record of which MAC address received which IP address on which port. This table becomes the foundation for DAI.

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10,20,30
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip dhcp snooping trust          ! Uplink to distribution
Switch(config)# interface range GigabitEthernet0/2-48
                                                    ! Access ports stay untrusted (default)

The Attack (ARP Spoofing): Even with DHCP snooping, an attacker can manually configure their IP and send gratuitous ARP replies: "Hey everyone, I'm 192.168.1.1!" Your users' PCs update their ARP caches—now traffic destined for the gateway goes to the attacker instead.

The Defense (Dynamic ARP Inspection / DAI): DAI validates ARP packets against the DHCP snooping binding table. If an ARP reply claims "192.168.1.50 is at MAC aa:bb:cc:dd:ee:ff" but the binding table says 192.168.1.50 was assigned to a different MAC, DAI drops the ARP packet.

Switch(config)# ip arp inspection vlan 10,20,30
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip arp inspection trust          ! Uplink to distribution

What breaks if you forget to trust your uplinks: The switch drops legitimate DHCP responses and ARP packets from your infrastructure. Users can't get IP addresses, and traffic stops flowing. Always trust your uplinks first.

⚠️ Exam Trap: DAI requires DHCP snooping to be enabled first—it uses the binding table. Enable DHCP snooping before DAI.