Dynamic ARP Inspection — Validation Checks
Harden Dynamic ARP Inspection (DAI) on an access switch by enabling additional packet validation checks: source MAC, destination MAC, and IP sanity. The uplink toward the DHCP server/gateway is trusted, access ports are untrusted. DHCP Snooping and baseline DAI are already enabled for VLAN 10; your task is to add the global DAI validation knobs and verify the change deterministically via show commands.
L2 Security Troubleshooting Capstone: Trust Boundary
Advanced CCNP Layer-2 security troubleshooting on a single access switch. Diagnose and correct an inverted trust boundary that breaks DHCP and ARP validation: DHCP Snooping and Dynamic ARP Inspection (DAI) are enabled for VLAN 10, but the uplink is not trusted for DHCP and a host port is incorrectly trusted for ARP. Use show commands to find the issues, fix the trust boundary, and restore client connectivity without changing router/host configs.
Storm Control for Multicast & Unicast
Harden the Layer-2 access edge by limiting multicast and unknown-unicast floods on host-facing ports with a non-disruptive trap action. You will apply storm-control multicast and unicast thresholds to SW1 access interfaces while leaving the uplink trusted and unrestricted for gateway/DHCP. Verify the configuration with show commands and end-to-end host reachability.
Storm Control on Broadcast Traffic
Harden the campus access edge by capping broadcast traffic per-port with storm control. In this lab you will apply a broadcast ceiling on the user-facing access ports only, choosing a shutdown action if exceeded, and verify that normal host connectivity remains intact. The uplink to the default gateway/DHCP server is trusted and must not be rate-limited.
Defense in Depth: DHCP Snooping + DAI
Harden the Layer-2 access edge by deploying a unified trust boundary for DHCP Snooping and Dynamic ARP Inspection (DAI) on a single access switch. R1 is both the default gateway and DHCP server for VLAN 10. You will enable DHCP Snooping and DAI globally for VLAN 10 and set the same uplink interface as trusted for both features, leaving host-facing access ports untrusted. This lab emphasizes the dependency and synergy between DHCP Snooping and DAI for blocking rogue DHCP/ARP activity. Grade scope: SW1 config only.
DHCP Snooping Rate Limiting
Harden the Layer-2 access edge by rate-limiting DHCP messages on untrusted ports. SW1 already has DHCP snooping enabled for VLAN 10 with the uplink trusted. Your task is to apply a per-interface rate limit on the host-facing access ports to blunt DHCP starvation attacks while leaving the trusted uplink unlimited.
Protected Ports for Host Isolation
Harden the campus access edge by isolating same-switch hosts using protected ports. You will configure switchport protected on both host-facing access interfaces so PC1 and PC2 cannot communicate at Layer 2, while all endpoints still reach the default gateway R1. This is a deterministic Layer-2 security control that mimics lightweight private-VLAN isolation on a single switch. Focus is on SW1 only; R1 and hosts are pre-provisioned.
Dynamic ARP Inspection
Harden the Layer-2 access edge by enabling Dynamic ARP Inspection (DAI) on a single access switch. DHCP Snooping is already in place and the uplink toward the DHCP server/gateway is trusted. Your job: enable DAI for VLAN 10 and trust the uplink so ARP on host-facing ports is validated against the DHCP Snooping bindings.
Errdisable Recovery for L2 Security
CCNP Layer 2 Security Hardening, Lab 9/10. You will enable automatic errdisable recovery on a campus access switch so ports shut down by Layer-2 security (Dynamic ARP Inspection, DHCP rate-limit, or storm control) can return to service automatically after a safe interval. The switch already enforces DHCP snooping with a correct trust boundary, DAI validation, and broadcast/multicast/unicast storm-control with shutdown actions. Your job: turn on errdisable auto-recovery for arp-inspection, dhcp-rate-limit, and storm-control, and set the interval to 60 seconds. Verify with show errdisable recovery.
DHCP Snooping Trust Boundary
Harden the Layer-2 access edge by enabling DHCP Snooping on a single access switch and placing the trust boundary only toward the legitimate DHCP server/gateway. Validate with show commands and end-host connectivity.