IGMP snooping: off by default, default version v3, enable globally with ip igmp snooping all-vlans.
DHCP snooping: all ports untrusted by default; rogue OFFER/ACK dropped on untrusted ports.
L2 stack: snooping → DAI → IPSG. DAI/IPSG break static-IP hosts without manual ip source-binding.
Pre-Reading Self-Check
Answer each question below before reading. You will retake the same quiz at the end and compare scores.
Pre-Quiz - QoS
1. Which AOS-CX QoS stage is responsible for assigning traffic to one of the eight internal queues?
a) class-map
b) policy-map
c) schedule-profile
d) queue-profile
2. What is the default QoS trust mode on an AOS-CX interface?
a) trust dscp
b) trust cos
c) trust none
d) trust both
3. By convention on AOS-CX, which queue is used as a strict-priority queue for voice (DSCP 46/EF)?
a) Queue 0
b) Queue 3
c) Queue 5
d) Queue 7
Pre-Quiz - IGMP / Multicast
4. What is the default state of IGMP snooping on AOS-CX?
a) Enabled globally on all VLANs
b) Enabled only on VLAN 1
c) Disabled - multicast floods until enabled
d) Enabled but in passive mode
5. When IGMP snooping is enabled on a flat L2 VLAN with no PIM router, what is required for the snooping table to stay populated?
a) A snooping querier on the SVI
b) A static mrouter port on each access port
c) IGMPv1 hardcoded on every host
d) Storm control enabled
6. What is the default IGMP snooping version on AOS-CX?
a) v1
b) v2
c) v3
d) Auto-negotiated per host
Pre-Quiz - DHCP
7. The CLI ip helper-address on an SVI is used to:
a) Block rogue DHCP servers
b) Forward DHCP broadcasts as unicasts to off-segment servers
c) Build the DHCP binding database
d) Insert Option 82 only
8. Which DHCP messages does an untrusted DHCP-snooping port DROP?
a) DISCOVER and REQUEST
b) RELEASE and DECLINE
c) OFFER, ACK, and NAK (server-side messages)
d) All DHCP messages of any kind
9. What is the default trust state of every port when DHCP snooping is first enabled?
a) All ports trusted
b) All ports untrusted
c) Only uplinks trusted automatically
d) Only access ports trusted
Pre-Quiz - L2 Threat Mitigation
10. What feature does Dynamic ARP Inspection (DAI) DEPEND on for its validation source?
a) Spanning Tree state table
b) MAC address-table
c) DHCP snooping binding database
d) ARP cache timer
11. What L2 threat does IP Source Guard (IPSG) primarily defend against?
a) IP spoofing from compromised hosts
b) Broadcast storms
c) ARP cache poisoning of routers
d) Spanning Tree manipulation
12. Loop protect is intended to be applied to:
a) Uplinks toward aggregation switches
b) Access ports facing end users
c) Only management interfaces
d) Routed L3 interfaces
13. Why does enabling DAI in a server VLAN with statically addressed servers cause an outage?
a) DAI uses STP and creates a loop
b) Static-IP hosts have no DHCP binding entry, so their ARPs are dropped
c) DAI floods the CPU with ARP broadcasts
d) DAI requires IGMP snooping to be enabled first
8.1 Quality of Service on AOS-CX
Ethernet is best-effort by default. When a 1 Gb uplink fills up, every flow suffers equally - bulk traffic just slows, but a voice call drops words. QoS is the policy machinery that lets the switch say "voice goes first, video next, file copies last" when the pipe is congested.
QoS only matters at points of contention. The classic campus contention point is the access-to-aggregation uplink, where many 1 Gb edge ports converge onto a smaller number of 10/25 Gb uplinks.
The four-stage QoS pipeline
Classify - class-map: identify the traffic (DSCP, CoS, or ACL).
Mark/queue - policy-map: set DSCP/CoS, assign to internal queue.
Schedule - schedule-profile: who serves first (strict vs DWRR).
Shape/drop - queue-profile: per-queue rate limits and WRED.
The first decision a packet faces: do I trust the markings the sender wrote?
Trust mode
Behavior
Typical use
qos trust none
Default. Ignore incoming markings, classify to default priority.
Untrusted user ports.
qos trust cos
Use 802.1p CoS bits in VLAN tag.
L2 trunks, AP uplinks.
qos trust dscp
Use DSCP bits in IP header.
L3 boundaries, IP-phone uplinks.
The default of trust none is a common gotcha. A new Aruba CX deployment with IP phones will not honor DSCP 46 markings until you set qos trust dscp on the access port. Without trust, voice rides the default queue alongside YouTube.
DSCP / CoS to queue mapping
DSCP
Name
CoS
Queue
Traffic
46
EF
5
7 (strict)
Voice (RTP)
34
AF41
4
6
Interactive video
26
AF31
3
5
SIP / signaling
0
BE
0
2
Default Internet
8
CS1
1
1
Scavenger
Scheduling - strict vs DWRR
Strict priority - queue is always served first while it has packets. Cap with shaping or it will starve other queues.
DWRR (Deficit Weighted Round Robin) - queues served in proportion to weights when congested.
Default trust mode is none - phone DSCP is silently dropped until you change it.
Queue 7 is strict-priority for voice; queue 0 is scavenger.
Per-interface trust overrides global trust.
The single most useful op command: show interface 1/1/10 queues for per-queue drop counters.
8.2 IGMP and Multicast Snooping
Layer 2 switches treat multicast like broadcast - flood every port in the VLAN. A single 50 Mb video multicast that one host subscribes to floods every other host on the VLAN. IGMP snooping is the fix: the switch listens to IGMP Membership Reports, Leaves, and Queries, and dynamically forwards each multicast group only to subscribed ports plus the multicast router port.
RFC 2236. Adds explicit Leave messages and Group-Specific Queries.
IGMPv3
RFC 3376. Adds source-specific multicast (SSM). Default on AOS-CX.
Every snooping VLAN needs a querier - a device that periodically sends IGMP General Queries so that hosts respond with Membership Reports. In a routed multicast network, the PIM router is automatic. In a flat L2 network, you must enable a snooping querier on the SVI.
Enabling IGMP snooping
IGMP snooping is disabled by default. Default version when enabled is v3.
# Global - simplest
switch(config)# ip igmp snooping all-vlans
# Per-VLAN
switch(config)# vlan 10
switch(config-vlan-10)# ip igmp snooping enable
switch(config-vlan-10)# ip igmp snooping version 2 # only if v2 hosts present
Snooping querier on the SVI
switch(config)# interface vlan 10
switch(config-if-vlan)# ip address 10.10.10.1/24
switch(config-if-vlan)# ip igmp snooping querier
If two queriers exist, IGMP elects the lowest IP as active.
Static mrouter port
switch(config)# vlan 10
switch(config-vlan-10)# ip igmp snooping mrouter interface 1/1/24
Verification commands
Command
Shows
show ip igmp snooping
Global and per-VLAN snooping status
show ip igmp snooping vlan 10
Detail for one VLAN
show ip igmp snooping groups
Currently joined groups, member ports
show ip igmp snooping mrouter
Learned and static mrouter ports
IGMP Snooping Key Points
Snooping is OFF by default - multicast floods until enabled.
Default version: IGMPv3.
ip igmp snooping all-vlans overrides per-VLAN config (you can still tweak version).
Every snooping VLAN needs a querier - PIM router or ip igmp snooping querier on the SVI.
mrouter ports are auto-detected; static mrouter useful for monitoring/analytics.
8.3 DHCP Services - Relay and Snooping
DHCP comes in two flavors on a campus switch:
DHCP relay - lets clients reach a DHCP server on a different subnet. Without it, DHCPDISCOVER broadcasts die at the SVI.
DHCP snooping - security feature that blocks rogue DHCP servers and builds the binding database for DAI/IPSG.
Both can - and usually should - coexist on the same access switch.
Routers do not forward broadcasts. The SVI catches the DHCPDISCOVER and relays it as a unicast to the server, setting the giaddr field so the server picks the right scope.
switch(config)# interface vlan 10
switch(config-if-vlan)# ip address 10.10.10.1/24
switch(config-if-vlan)# ip helper-address 10.50.50.10
switch(config-if-vlan)# ip helper-address 10.50.50.11 # redundancy
DHCP snooping - blocking rogue servers
All ports are untrusted by default. On an untrusted port, the switch:
Forgetting trust on the uplink is a common mistake - clients then fail to get addresses because the legitimate OFFER is dropped along with the rogue ones.
The binding database
Field
Description
MAC address
Client hardware address
IP address
Address leased by the server
VLAN
VLAN ID of the lease
Interface
Ingress port of the client
Lease time
When the binding expires
This binding database is the foundation for both Dynamic ARP Inspection and IP Source Guard.
Option 82
Relay or snooping switches can insert Option 82 (Relay Agent Information) so the upstream server can identify the originating port/switch. Useful for assigning IPs from specific scopes per port, logging which port leased an address, or rejecting requests without expected relay info.
DHCP Key Points
Relay = ip helper-address on SVI; converts DHCP broadcast to unicast.
Snooping is the security cousin - all ports untrusted by default.
Trust the uplink (dhcpv4-snooping trust); never trust access ports.
Rogue OFFER/ACK/NAK on untrusted ports is dropped - rogue server defense.
Binding DB feeds DAI and IPSG.
8.4 Layer 2 Threat Mitigation
Once the DHCP snooping binding database exists, two more security features can use it as their truth source. Add loop protect and storm control and you have a five-feature L2 hardening stack that should be standard on every access port.
Threat
What attacker does
Mitigation
Rogue DHCP server
Plug in laptop running dnsmasq
DHCP snooping
ARP spoofing / MITM
Send unsolicited ARP claiming to be gateway
Dynamic ARP Inspection
IP spoofing
Forge source IP from compromised host
IP Source Guard
L2 loop
Bridge ports outside STP domain
Loop protect
Bcast/mcast/unknown-unicast storm
Flood from chatty/malicious device
Storm control
Dynamic ARP Inspection (DAI)
DAI inspects every ARP on untrusted ports and verifies the sender's IP/MAC/port against the snooping binding DB. If it doesn't match, drop. DAI requires DHCP snooping - without the binding DB it has nothing to validate against.
sequenceDiagram
participant H as Host (untrusted port 1/1/5)
participant SW as Switch (DAI VLAN 10)
participant DB as DHCP Snooping Binding DB
participant GW as Gateway / Target
H->>SW: ARP packet (sender MAC/IP, port)
SW->>DB: Lookup {MAC, IP, VLAN, port}
alt Tuple matches binding
DB-->>SW: Match
SW->>GW: Forward ARP
else Tuple absent or mismatched
DB-->>SW: No match
SW--xH: Drop ARP, increment violation counter
end
Note over SW,DB: Trusted uplink ports bypass this check entirely
Static-IP gotcha: in a server VLAN with statically addressed servers, DAI black-holes them unless you add manual ip source-binding entries. This is the single biggest deployment mistake.
IP Source Guard / IP Source Lockdown
IPSG filters IP traffic on access ports against the binding table. Only traffic whose {MAC, IP, VLAN, port} tuple matches a binding is forwarded. Like DAI, depends on DHCP snooping; breaks for static-IP hosts without manual bindings.
switch(config)# ip source-binding 00:11:22:33:44:55 vlan 10 ipv4 10.10.10.50 interface 1/1/5
Loop protect
STP can miss inadvertently bridged ports (a user looping a patch cable into a wall jack, a rogue mini-switch). Loop protect transmits a loop-detect frame and shuts the port if it returns.