DHCP Snooping Lab

Packet Tracer

Before we get started with this Lab I want to let you know about Packet Tracer. Packet Tracer is a great piece of software from Cisco and I’m running the latest version of it which is version 7.0. It can be limited in some areas but we can run a lot of the labs that are needed for the CCNA level exam with it. For labs that are more complex you can use GNS3 or if you have access to real equipment in your work place you can set up a nice little lab with some real equipment. And then there is of course Rack Rentals if you want to use real equipment but you don’t have the budget to spend on getting second hand gear.

You can download Packet Tracer from https://www.netacad.com/ simply setup a free account and download the version for the operating system you are using, in my case I have it running on a Linux machine.

DHCP Snooping Lab

Objective:

  • Setup a router as a DHCP server
  • Set the default gateway to 192.168.1.1/24
  • Exclude the following IP address range from DHCP: 192.168.1.1 – 192.168.1.10
  • Connect the router to a Switch
  • Connect 3 hosts (PCs) to the Switches and set them up to request IP address via DHCP
  • Configure the switch with DHCP Snooping
  • Configure the interface connected to the router as a Trusted Port.

When you first start Packet Tracer you’ll get the following screen:

PT_Startscreen

On the bottom you have a list of icons for different devices. Here you select the devices and drag them onto the main window.

networkdiagram

This is what the lab should look like.

Lets configure the Router first. Click on the Router and select the CLI tab. Note that I have already configured interface Fa0/0 with the IP address 192.168.1.1 and did a no shutdown on the port to bring it up.

Setting up the router as a DHCP Server:

Router#config t

Router(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10

Router(config)#ip dhcp pool MRROBOT

Router(dhcp-config)#network 192.168.1.0 255.255.255.0

Router(dhcp-config)#end

Router#

Screenshot-Router1

Now that the Router is setup to hand out IP address from the 192.168.1.0/24 network lets configure the PCs to request IP address from the Router using DHCP.

First click on PC-0 and select the Config tab. Select DHCP (default is Static) now the PC will send a broadcast DHCP Discovery message onto the local LAN to request an IP address.

PC Configuration

Here we can see that the router gave it 192.168.1.11 which is the first IP address it is allowed to give out from its pool. Remember we excluded addresses 192.168.1.1 to 192.168.1.10 in the Router configuration. Repeat this for each PC you have connected to the Switch.

PCipconfig

Next step is to enable DHCP snooping on the switch to stop rogue DHCP servers from successfully operating on the network. Enter the following commands.

Switch#config t

Switch(config)#ip dhcp snooping

Switch(config)#ip dhcp snooping vlan 1

Switch(config)#end

SwtichDHCPSnopp

Lets test to see if this has worked. You might have noticed I haven’t enabled any ports on the Switch yet to be trusted ports. I’ll release the IP address that is on PC-0 and request a new one. It should fail. And what do you know it did.

PCDHCPFail

Lets fix this so that the port connected to the Router on the Switch is a Trusted port which will then allow all DHCP messages through, can you remember what they are? Remember our friend called DORA?

The Router is attached to Fa0/4 on the Switch. Lets make it a trust port.

Switch#config t

Switch(config)#int fa0/4

 

Switch(config-if)#ip dhcp snooping trust

Switch(config-if)#end

SwitchTrustportconf

Time to test it out to see if it was successful.

PCDHCPSucc

I did a ipconfig /release followed by ipconfig /renew and we are back in business. The PC is getting an IP address again via DHCP.

And to finish off the lab some show commands.

  • show ip dhcp snooping bindings
  • show ip dhcp snooping

Switch#show ip dhcp snooping binding

Switch#show ip dhcp snooping

showcommands

These are useful commands to check the bindings of MAC address to IP address and what VLAN and Interface they’re on.

In the second command you can see what Interfaces are Trusted and what are not.

Any questions let me know in the comments.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s