Introduction
DHCP Snooping and Dynamic ARP Inspection (DAI) are two of the most critical Layer 2 security features available on Cisco Catalyst switches. Together they form a defence-in-depth strategy that prevents rogue DHCP servers from poisoning your network and stops ARP spoofing attacks that can lead to man-in-the-middle interception, data theft, and denial of service.
DHCP Snooping acts as a firewall between untrusted hosts and trusted DHCP servers. It builds a binding table that maps client MAC addresses to their legitimately assigned IP addresses, lease times, VLAN IDs, and interface information. DAI then consumes that binding table to validate every ARP packet on untrusted ports, dropping any ARP reply or request whose source MAC-to-IP mapping does not match a known DHCP binding.
This run book walks you through every step — from initial design decisions to full production deployment — with real commands tested on Cisco IOS 15.x and IOS-XE 16.x/17.x Catalyst platforms.
Prerequisites and Lab Topology
Hardware and Software
- Cisco Catalyst 2960-X, 3650, 3850, 9200, 9300, or 9500 series (IOS 15.2+ or IOS-XE 16.6+)
- A legitimate DHCP server (ISC DHCP, Windows DHCP, or a Cisco router acting as DHCP server)
- At least two VLANs configured and operational
- Console or SSH access with privilege level 15
Reference Topology
+------------------+
| DHCP Server |
| 192.168.10.5 |
+--------+---------+
|
Gi1/0/1 (Trusted Uplink)
+--------+---------+
| SW-ACCESS-01 |
| Catalyst 9300 |
+--+-----+-----+--+
| | |
Gi1/0/10 Gi1/0/11 Gi1/0/12
(VLAN 10) (VLAN 10) (VLAN 20)
PC-A PC-B PC-C
Untrusted Untrusted Untrusted
In this topology, Gi1/0/1 connects to the distribution switch or directly to the DHCP server infrastructure. All end-user ports (Gi1/0/10–12) are untrusted.
Part 1 — DHCP Snooping Configuration
Step 1: Enable DHCP Snooping Globally
SW-ACCESS-01# configure terminal
SW-ACCESS-01(config)# ip dhcp snooping
SW-ACCESS-01(config)# ip dhcp snooping vlan 10,20
What this does: The first command activates the DHCP Snooping engine globally. The second restricts snooping to VLANs 10 and 20 only. Snooping on VLANs you don't specify is not performed, saving CPU resources.
Step 2: Configure Trusted Ports
Trusted ports are those that connect to legitimate DHCP servers or to upstream switches/routers. DHCP server responses (OFFER, ACK) are only permitted on trusted ports.
SW-ACCESS-01(config)# interface GigabitEthernet1/0/1
SW-ACCESS-01(config-if)# description Uplink to Distribution / DHCP Server
SW-ACCESS-01(config-if)# ip dhcp snooping trust
SW-ACCESS-01(config-if)# exit
Critical rule: Every port is untrusted by default once DHCP Snooping is enabled. Only mark uplinks and DHCP server-facing ports as trusted. Never trust access ports.
Step 3: Configure Rate Limiting on Untrusted Ports
Rate limiting prevents DHCP starvation attacks where a malicious host floods DISCOVER packets to exhaust the DHCP pool.
SW-ACCESS-01(config)# interface range GigabitEthernet1/0/10 - 12
SW-ACCESS-01(config-if-range)# ip dhcp snooping limit rate 15
SW-ACCESS-01(config-if-range)# exit
This sets a limit of 15 DHCP packets per second per port. Exceeding this rate causes the port to enter an err-disabled state. A reasonable value for standard access ports is 10–20 pps. Adjust based on your environment.
Step 4: Enable Automatic err-disabled Recovery
SW-ACCESS-01(config)# errdisable recovery cause dhcp-rate-limit
SW-ACCESS-01(config)# errdisable recovery interval 300
This automatically re-enables a port 300 seconds (5 minutes) after it was shut down due to DHCP rate-limit violations.
Step 5: Preserve Option 82 Behaviour
By default, Cisco IOS inserts DHCP Option 82 (Relay Agent Information) into DHCP packets. If your DHCP server does not support Option 82 and drops packets containing it, you may need to disable insertion:
SW-ACCESS-01(config)# no ip dhcp snooping information option
If your environment uses DHCP relay (ip helper-address) through the switch, keep Option 82 enabled (the default). Only disable it when the DHCP server rejects Option 82 packets.
Step 6: Persist the Binding Table Across Reboots
The DHCP snooping binding table is stored in RAM by default. If the switch reboots, all bindings are lost, and DAI will block all traffic until clients renew their DHCP leases. To prevent this:
SW-ACCESS-01(config)# ip dhcp snooping database flash:/dhcp-snooping-db.txt
SW-ACCESS-01(config)# ip dhcp snooping database write-delay 60
SW-ACCESS-01(config)# ip dhcp snooping database timeout 120
You can also use a TFTP or FTP server for remote storage:
SW-ACCESS-01(config)# ip dhcp snooping database tftp://192.168.10.100/dhcp-snooping/sw-access-01-bindings.txt
Step 7: Verify DHCP Snooping
SW-ACCESS-01# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10,20
DHCP snooping is operational on following VLANs:
10,20
Insertion of option 82 is disabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
--------------------- ------- ------------ ----------------
GigabitEthernet1/0/1 yes yes unlimited
GigabitEthernet1/0/10 no no 15
GigabitEthernet1/0/11 no no 15
GigabitEthernet1/0/12 no no 15
SW-ACCESS-01# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- -------------- ---- --------------------
AA:BB:CC:11:22:33 192.168.10.101 86400 dhcp-snooping 10 GigabitEthernet1/0/10
AA:BB:CC:44:55:66 192.168.10.102 86400 dhcp-snooping 10 GigabitEthernet1/0/11
AA:BB:CC:77:88:99 192.168.20.50 86400 dhcp-snooping 20 GigabitEthernet1/0/12
Total number of bindings: 3
SW-ACCESS-01# show ip dhcp snooping statistics
Packets Forwarded = 1247
Packets Dropped = 3
Packets Dropped From untrusted ports = 3
Part 2 — Dynamic ARP Inspection (DAI) Configuration
DAI relies on the DHCP snooping binding table to validate ARP packets. You must enable DHCP Snooping before enabling DAI. If DAI is enabled without a populated binding table, all ARP traffic on untrusted ports will be dropped.
Step 1: Enable DAI on Target VLANs
SW-ACCESS-01(config)# ip arp inspection vlan 10,20
Step 2: Configure Trusted Ports for DAI
Just as with DHCP Snooping, uplink ports to other switches or routers should be trusted for ARP inspection:
SW-ACCESS-01(config)# interface GigabitEthernet1/0/1
SW-ACCESS-01(config-if)# ip arp inspection trust
SW-ACCESS-01(config-if)# exit
Note: The trust state for DHCP Snooping and DAI are configured independently. A port can be DHCP-snooping trusted but DAI untrusted (uncommon) or vice versa. In most designs, uplink ports are trusted for both.
Step 3: Configure ARP Rate Limiting
DAI applies a default rate limit of 15 ARP packets per second on untrusted ports with a burst interval of 1 second. You can tune this:
SW-ACCESS-01(config)# interface range GigabitEthernet1/0/10 - 12
SW-ACCESS-01(config-if-range)# ip arp inspection limit rate 20 burst interval 2
SW-ACCESS-01(config-if-range)# exit
This allows 20 ARP packets per second with a 2-second burst window. If a host exceeds 40 ARP packets in 2 seconds, the port is err-disabled.
Step 4: Enable err-disabled Recovery for DAI
SW-ACCESS-01(config)# errdisable recovery cause arp-inspection
SW-ACCESS-01(config)# errdisable recovery interval 300
Step 5: Enable Additional Validation (Recommended)
By default, DAI only validates the source MAC and source IP in ARP packets against the binding table. You can enable additional checks:
SW-ACCESS-01(config)# ip arp inspection validate src-mac dst-mac ip
Validation options explained:
- src-mac — Checks that the source MAC in the Ethernet header matches the sender MAC in the ARP body
- dst-mac — Checks that the destination MAC in the Ethernet header matches the target MAC in the ARP body (for ARP replies)
- ip — Checks for invalid or unexpected IP addresses (e.g., 0.0.0.0 in the sender IP of an ARP reply, or 255.255.255.255)
Important: The
ip arp inspection validatecommand is not additive. Each new command replaces the previous validation set. Always specify all desired checks in a single command.
Step 6: ARP ACLs for Static Hosts
Hosts with static IP addresses will not appear in the DHCP snooping binding table. DAI will drop their ARP packets unless you create an ARP ACL:
SW-ACCESS-01(config)# arp access-list STATIC-HOSTS
SW-ACCESS-01(config-arp-nacl)# permit ip host 192.168.10.200 mac host 00AA.00BB.00CC
SW-ACCESS-01(config-arp-nacl)# permit ip host 192.168.10.201 mac host 00AA.00BB.00DD
SW-ACCESS-01(config-arp-nacl)# exit
Apply the ARP ACL to the VLAN. The
statickeyword means DAI checks the ARP ACL first; if no match is found, it falls back to the DHCP snooping binding table:
SW-ACCESS-01(config)# ip arp inspection filter STATIC-HOSTS vlan 10
If you want to use only the ARP ACL (no DHCP snooping fallback), add the
statickeyword:
SW-ACCESS-01(config)# ip arp inspection filter STATIC-HOSTS vlan 10 static
Without
static, DAI checks the ARP ACL first, then checks the DHCP snooping database if the ACL produces no explicit match. With
static, only the ARP ACL is used — any ARP packet not matching the ACL is dropped.
Step 7: Verify DAI
SW-ACCESS-01# show ip arp inspection vlan 10,20
Source Mac Validation : Enabled
Destination Mac Validation : Enabled
IP Address Validation : Enabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- ----------------- ----------
10 Enabled Active STATIC-HOSTS No
20 Enabled Active
Vlan ACL Logging DHCP Logging Probe Logging
---- ---------- ----------- -------------
10 Deny Deny Off
20 Deny Deny Off
SW-ACCESS-01# show ip arp inspection statistics vlan 10
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
10 4523 7 5 2
Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
10 4521 2 0 3
Vlan Dest MAC Failures IP Validation Failures
---- ----------------- ----------------------
10 1 3
SW-ACCESS-01# show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Gi1/0/1 Trusted None N/A
Gi1/0/10 Untrusted 20 2
Gi1/0/11 Untrusted 20 2
Gi1/0/12 Untrusted 20 2
Part 3 — Logging and Monitoring
DAI Logging
DAI logs dropped ARP packets by default via syslog. You can control the logging buffer and rate:
SW-ACCESS-01(config)# ip arp inspection log-buffer entries 512
SW-ACCESS-01(config)# ip arp inspection log-buffer logs 10 interval 60
This stores up to 512 log entries and generates a syslog message for every 10 logged events within a 60-second window.
View the DAI Log
SW-ACCESS-01# show ip arp inspection log
Total Log Buffer Size : 512
Syslog rate : 10 entries per 60 seconds
Interface Vlan Sender MAC Sender IP Num Pkts Reason Time
--------- ---- ---------------- -------------- -------- -------------- ------------------
Gi1/0/10 10 DEAD.BEEF.CAFE 192.168.10.50 3 DHCP Deny 14:23:10 UTC Mon Feb 16 2026
Gi1/0/12 20 FACE.B00C.1234 192.168.20.99 2 DHCP Deny 14:23:44 UTC Mon Feb 16 2026
Syslog Messages to Watch
%DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message ...
%DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop on untrusted port ...
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/10, vlan 10 ...
%PM-4-ERR_DISABLE: arp-inspection error detected on Gi1/0/10, putting Gi1/0/10 in err-disable state
Part 4 — Complete Production Configuration Example
Below is a consolidated configuration suitable for copy-paste into a Catalyst 9300 running IOS-XE 17.x:
! =============================================
! DHCP Snooping Configuration
! =============================================
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
no ip dhcp snooping information option
ip dhcp snooping database flash:/dhcp-snooping-db.txt
ip dhcp snooping database write-delay 60
ip dhcp snooping database timeout 120
! =============================================
! Dynamic ARP Inspection Configuration
! =============================================
ip arp inspection vlan 10,20,30
ip arp inspection validate src-mac dst-mac ip
ip arp inspection log-buffer entries 512
ip arp inspection log-buffer logs 10 interval 60
! ARP ACL for static hosts
arp access-list STATIC-HOSTS
permit ip host 192.168.10.200 mac host 00AA.00BB.00CC
permit ip host 192.168.10.201 mac host 00AA.00BB.00DD
permit ip host 192.168.10.1 mac host 00AA.00BB.0001
ip arp inspection filter STATIC-HOSTS vlan 10
! =============================================
! Errdisable Recovery
! =============================================
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause arp-inspection
errdisable recovery interval 300
! =============================================
! Trusted Uplink Ports
! =============================================
interface GigabitEthernet1/0/1
description Uplink-to-Distribution
switchport mode trunk
switchport trunk allowed vlan 10,20,30
ip dhcp snooping trust
ip arp inspection trust
!
interface GigabitEthernet1/0/2
description Uplink-to-DHCP-Server
switchport mode access
switchport access vlan 10
ip dhcp snooping trust
ip arp inspection trust
!
! =============================================
! Untrusted Access Ports
! =============================================
interface range GigabitEthernet1/0/10 - 48
description User-Access-Port
switchport mode access
ip dhcp snooping limit rate 15
ip arp inspection limit rate 20 burst interval 2
!
Part 5 — Multi-Switch Deployment Considerations
Stacked / StackWise Switches
On Catalyst 3850/9300 stacks, DHCP snooping and DAI configuration is stack-wide. The binding database is synchronised across all stack members. Ensure the database persistence path (flash:) refers to the active switch; use
flash-1:notation if needed.
Trunk-to-Trunk (Switch-to-Switch)
When deploying across multiple access switches:
- Trunk ports between switches should be trusted for both DHCP snooping and DAI on both ends
- Each access switch maintains its own binding table
- Enable DHCP snooping and DAI on every access-layer switch, not just the one closest to the DHCP server
Routed Interfaces and SVIs
DAI and DHCP snooping operate on Layer 2 switched ports only. They do not apply to routed interfaces or SVIs. If you have a Layer 3 switch performing inter-VLAN routing, ARP traffic on the SVI itself is not inspected — only traffic on the physical switchports.
Part 6 — Troubleshooting
Problem: All clients lose connectivity after enabling DAI
Cause: The DHCP snooping binding table is empty (e.g., DAI was enabled before clients obtained DHCP leases).
Fix:
SW-ACCESS-01# show ip dhcp snooping binding
Total number of bindings: 0
! Force clients to renew:
! On Windows client: ipconfig /release && ipconfig /renew
! On Linux client: sudo dhclient -r && sudo dhclient
! Or temporarily disable DAI, let clients get leases, re-enable:
SW-ACCESS-01(config)# no ip arp inspection vlan 10,20,30
! Wait for clients to get DHCP leases...
SW-ACCESS-01(config)# ip arp inspection vlan 10,20,30
Problem: Static IP hosts are blocked by DAI
Cause: No ARP ACL or DHCP snooping static binding exists for the host.
Fix — Option A (ARP ACL):
SW-ACCESS-01(config)# arp access-list STATIC-HOSTS
SW-ACCESS-01(config-arp-nacl)# permit ip host 192.168.10.200 mac host 00AA.00BB.00CC
SW-ACCESS-01(config-arp-nacl)# exit
SW-ACCESS-01(config)# ip arp inspection filter STATIC-HOSTS vlan 10
Fix — Option B (Static binding entry):
SW-ACCESS-01(config)# ip dhcp snooping binding 00AA.00BB.00CC vlan 10 192.168.10.200 interface GigabitEthernet1/0/15 expiry 4294967295
The expiry value of 4294967295 seconds (~136 years) effectively makes it permanent.
Problem: Port goes err-disabled frequently
Cause: Rate limit is too low for the environment (e.g., VoIP phones with frequent ARP, or virtual machines behind a port).
Fix: Increase the rate limit and verify:
SW-ACCESS-01(config)# interface GigabitEthernet1/0/10
SW-ACCESS-01(config-if)# ip arp inspection limit rate 50 burst interval 5
SW-ACCESS-01(config-if)# ip dhcp snooping limit rate 30
Problem: DHCP snooping binding table lost after reboot
Cause: Database persistence not configured.
Fix:
SW-ACCESS-01(config)# ip dhcp snooping database flash:/dhcp-snooping-db.txt
SW-ACCESS-01# show ip dhcp snooping database
Agent URL : flash:/dhcp-snooping-db.txt
Write delay Timer : 300 seconds
Last succeeded time : 14:30:00 UTC Mon Feb 16 2026
Last failed time : None
Last failed reason : N/A
Useful Debug Commands
SW-ACCESS-01# debug ip dhcp snooping packet
SW-ACCESS-01# debug ip dhcp snooping event
SW-ACCESS-01# debug arp inspection
! Remember to disable debugs after troubleshooting:
SW-ACCESS-01# undebug all
Part 7 — Integration with Other Layer 2 Security Features
IP Source Guard (IPSG)
IP Source Guard also uses the DHCP snooping binding table to filter traffic at Layer 2 based on source IP and MAC. Enable it on untrusted ports to prevent IP spoofing:
SW-ACCESS-01(config)# interface range GigabitEthernet1/0/10 - 48
SW-ACCESS-01(config-if-range)# ip verify source
To also validate the source MAC (requires port-security to be enabled):
SW-ACCESS-01(config-if-range)# ip verify source port-security
Port Security
Port security limits the number of MAC addresses per port and complements DHCP snooping and DAI:
SW-ACCESS-01(config)# interface range GigabitEthernet1/0/10 - 48
SW-ACCESS-01(config-if-range)# switchport port-security
SW-ACCESS-01(config-if-range)# switchport port-security maximum 3
SW-ACCESS-01(config-if-range)# switchport port-security violation restrict
SW-ACCESS-01(config-if-range)# switchport port-security aging time 60
SW-ACCESS-01(config-if-range)# switchport port-security aging type inactivity
802.1X and DHCP Snooping
When using 802.1X authentication, DHCP snooping works seamlessly. The binding table records the authenticated port. Ensure that multi-auth or multi-domain mode is correctly configured if you have IP phones and PCs on the same port.
Part 8 — Best Practices Summary
- Always enable DHCP snooping before DAI — DAI depends on the binding table
- Persist the binding database — Use flash or TFTP to survive reboots
- Trust only uplink and DHCP server ports — Never trust end-user access ports
- Use ARP ACLs for static hosts — Printers, servers, IP phones with static IPs need explicit entries
- Enable additional DAI validation — Use
ip arp inspection validate src-mac dst-mac ip
- Configure err-disabled recovery — Prevents manual intervention for transient violations
- Set appropriate rate limits — Too low causes false positives; too high reduces protection
- Deploy on all access switches — A single switch without DAI becomes the attack vector
- Combine with IP Source Guard — For comprehensive Layer 2 anti-spoofing
- Monitor syslog and SNMP traps — Forward DAI and DHCP snooping logs to your SIEM
Frequently Asked Questions
1. Can I enable DAI without DHCP snooping?
Technically yes, but DAI will drop all ARP packets on untrusted ports because there is no binding table to validate against. You would need ARP ACLs for every host, which is impractical at scale. Always enable DHCP snooping first.
2. Does DHCP snooping work on trunk ports?
Yes. DHCP snooping inspects DHCP packets on both access and trunk ports. On trunk ports, it examines the VLAN tag to determine which VLAN the DHCP packet belongs to and applies snooping rules accordingly.
3. What happens to ARP traffic on a trusted DAI port?
ARP packets on trusted ports are forwarded without any inspection or rate limiting. This is why you must only trust ports that connect to infrastructure devices you control.
4. How do I handle hosts that use both DHCP and static IPs on the same VLAN?
Use an ARP ACL for the static hosts and apply it with
ip arp inspection filter ACL-NAME vlan X(without the
statickeyword). DAI will check the ACL first, then fall back to the DHCP snooping binding table for DHCP hosts.
5. Does DHCP snooping affect DHCPv6 or IPv6 traffic?
No. DHCP snooping and DAI are IPv4-only features. For IPv6 environments, use IPv6 RA Guard, DHCPv6 Guard, and IPv6 Source Guard, which are separate features available on Catalyst 3850/9000 series and later.
6. What is the default ARP rate limit for DAI on Cisco IOS?
The default rate limit on untrusted ports is 15 ARP packets per second with a burst interval of 1 second. Trusted ports have no rate limit. Exceeding the rate limit on an untrusted port causes the port to be err-disabled.
7. Can DHCP snooping break my DHCP relay setup?
Yes, if not configured properly. When a switch acts as a DHCP relay agent (using
ip helper-addresson the SVI), Option 82 insertion is enabled by default. If the DHCP server does not support Option 82, it may drop the relayed packets. Disable Option 82 with
no ip dhcp snooping information optionor configure the server to handle Option 82.
8. How do I add a manual static binding to the DHCP snooping table?
Use the command:
ip dhcp snooping binding <MAC> vlan <VLAN-ID> <IP> interface <INTF> expiry <SECONDS>. For a permanent entry, set expiry to 4294967295. Example:
ip dhcp snooping binding 00AA.00BB.00CC vlan 10 192.168.10.200 interface GigabitEthernet1/0/15 expiry 4294967295.
9. Does enabling DHCP snooping cause any performance impact on the switch?
DHCP snooping has minimal performance impact because it only inspects DHCP packets (a tiny fraction of total traffic). DAI has slightly more overhead as it inspects all ARP packets, but on modern ASICs (Catalyst 9000 series), this is handled in hardware with negligible throughput impact. Rate limiting is the primary CPU protection mechanism.
10. How do I migrate a live network to DHCP snooping and DAI without causing an outage?
Follow this sequence: (1) Enable DHCP snooping globally and on target VLANs. (2) Mark uplinks as trusted immediately. (3) Wait for all clients to renew their DHCP leases so the binding table is fully populated — verify with
show ip dhcp snooping binding. (4) Create ARP ACLs for any static hosts. (5) Only then enable DAI on the VLANs. (6) Monitor logs closely for the first 24-48 hours and adjust rate limits or add missing static entries as needed.