Category: Labs

Clientless SSL VPN Lab

In this post I’m going to setup a Clientless SSL VPN via the ASDM GUI and then connect to it via the TinyCore Linux PC all from GNS3.

Topology:

LAB_SSL_CL

I’m using the topology above. The nodes I’m using will be the ASA with the ASDM connected via the cloud from my local PC, if you want to know how to set the ASA up with access via the ASDM check out one of my other posts: How-To: ASA in GNS3 with ASDM

I’ll also be using R4 and the Remote Worker PC which is running a TinyCore Linux to test the Clientless SSL VPN.

Configure the Clientless SSL VPN on the ASAv via the ASDM GUI

ASDMmainscreen

When you log into the ASDM GUI you’ll get the main screen above. Click on Wizards > VPN Wizards > Clientless SSL VPN Wizard…

ASDM_Wizard

The Clientless SSL VPN Wizard window will pop up, click on Next. You’ll get the following window.

Step2_SSL

Here you need to give your Clientless SSL VPN a Connection Profile Name I’ve named this one SSL_Remote_Access and I’ve also selected the Interface that the SSL VPN will connect in on which is the Outside Interface (Internet). I don’t have my own digital certificate so I’m leaving the Certificate set to None, because of this the ASA will provide a self signed certificate. I’ve also given the Connection an Alias of SSL. Click on Next

step3_auth.png

The next step is to configure User Authentication you’ll have the choice to use an AAA server (which I dont have) or the Local User DB which I’ve selected. Select Authenticate using the local user database and add a new user, here I’m adding Homer once added click on Next

Step4_GroupPolThe next step is to setup a group policy or select an existing policy. Here I’ve setup a new policy called Remote_Users, this policy will inherit the DfltGrpPolicy attributes which I can change later if I need to. Click on Next

Step5_Bookmark

In the next step you can configure a list of bookmarks that the Remote users will be able to click on to access resources on the Corp LAN. Click on Manage > Add

Here you give the bookmark a name like EMAIL. Click on Add

Step5_BM2

You need to configure the IP address of the EMAIL server. I don’t have an email server in my lab but the bookmark will appear once I connect to the Clientless SSL VPN (hopefully).

step6_finish.pngThat is it, you’ll get a summary page click on Finish to send the config to the ASA.

With the ASA configured the next step is to configure R4 in my topology. I’ll have to give Gi0/1 an IP address (200.0.0.1/24) and also a default route to send all traffic to the ASA using the command “ip route 0.0.0.0 0.0.0.0 136.1.47.1” as shown below.

R4

Next configure the TinyCore Linux PC with an IP address in the same range as Gi0/1 I’ll use 200.0.0.2 and set the default gateway to 200.0.0.1.

tinylinux

To configure an IP address on the Linux PC click on Control Panel > Network

Set the IP address and the Gateway and click on Apply

It is always good practice to test the connectivity, open a Terminal Window in the Linux PC and ping the Gateway at 200.0.0.1.

pingR4

Now using the built-in Firefox browser on the Linux PC it is time to test the Clientless SSL VPN and see if we can connect to the Corp LAN. In the address bar enter the URL  configured earlier which is: https://136.1.47.1/SSL

SSLConnection

Looks good because this is a self signed certificate from the ASA the Firefox brower gives you a warning not to trust the site. Click on I Understand the Risks to continue. Once you accept the risk you will get the following login page.

SSL VPN Login

Enter in the username and password in my case Homer.

LoggedIn

Success !! I have logged in and as you can see the EMAIL bookmark I configured during the Clientless SSL VPN setup is there.

I hope you found this useful, get labbing and try it out for yourself.

Feedback always welcomed.

Zone-Based Firewall Lab

So you can’t afford a nice shiny ASA firewall, a well no firewall for me so. Not true, you can use a Cisco Router with the correct license and use it as a Zone-Based Firewall. YAY.

zonebaseFw

This is the topology I’ll be using in this lab. The goal is to allow icmp and http traffic from the LAN Router out to the Internet Router but drop telnet traffic.

I’ve setup the Internet Router to allow telnet connections via the vty lines. Also, I am running eigrp as the routing protocol between the routers.

First let’s show telnet working from the LAN Router to the Internet Router.

pingIntrouter

Success! I can log into it. And while I’m at it let me show http working. For this I enable the Internet Router as a http server using the following command #ip http server

httpconnect

Now it’s time to configure the Zone-Based Firewall.

Step 1: Create two zones INSIDE and OUTSIDE you can call this TRUSTED and UNTRUSTED if you like it doesn’t really matter what you call them once it’s meaningful.

Step1

Step 2: Create a class-map to match protocols you want to allow.

Step2

You must use the “type inspect” command when configuring the class-map otherwise it would be a normal class-map used for QoS for example. Also, the match-any command is also important, the match-any is equal to an OR as in match http OR icmp. If you used the match-all command this is equal to an AND as in match http AND icmp and if they match take action.

Step 3: Create a policy-map and reference the class-map in the policy map you will either drop (block) pass (allow the traffic this is none stateful) or inspect (allow the traffic and keep track of it in the stateful table)

Step3

Step 4: Create a service-policy, this tells the ZBFW in what direction to apply it, if you remember in Step 1 we created two different zones called INSIDE and OUTSIDE. It also references the policy-map in Step 3.

The zone-pair command got truncated so here it is in full:

ZBFW(config)#zone-pair security ALLOW_HTTP_ICMP source INSIDE destination OUTSIDE

Step4

Step 5: Now it is time to apply the two different zones to the interfaces. The reason I left this to last is a soon as you apply a zone to an interface it will start to block all traffic between the two different zones until you configure Steps 2 to 4.

Step5

That should do it now, let’s test it and see if it is working.

First I’ll try to telnet to the Internet Router this should fail.

confirm

As you can see from the output the firewall is configured correctly. It isn’t allowing telnet traffic anymore but it is allowing http and also icmp pings.

zbfwoutput

Check the zone-based firewall using the command #show policy-firewall session here we can see the http session allowed from the LAN Router (INSIDE) to the Internet Router (OUTSIDE) on port 80 and also the icmp session.

Hope you found this useful.

 

ASA Lab with ASDM

asav-lab2

It has been too long since my last post. I’ve been very busy in work and also studying away working towards CCNA security. I just wanted to show what my latest topology looks like that I will be using to study with doing as many labs as possible. Hopefully, this will grow over time.

The topology as full access to the Internet which is great.

And also the most important piece is I have the ASDM running from my browser on my PC 🙂 as you can see below.

asdm

This is a big deal as I will be able to configure the ASA from the ASDM and practice using it as much as possible.

I will probably add a zone-based router to the topology at some stage as well. The switches are vIOS switches which will allow me to do Port Security and DHCP Snooping etc.

If you have any questions on the setup let me know.

Note: The lab has been built using GNS3 version 2.0b3

 

 

IPSec Site-to-Site VPN

 

In this post, I will show you how to setup a site-to-site VPN using IPSec. I read up on IPSec and its two tunnels IKE Phase 1 (Management) and IKE Phase 2 (Data) and thought the best way to understand this is to create a lab.

Lab Topology

screenshot

Above is the lab that I set up. A few things to know.

I am using BGP between R1-R2-R3. R1 is Site1 and R3 is Site2. R2 is the Internet. I’m not going to through setting up the eBGP peerings but the main thing once configured is that you can ping from Site1’s public IP address to Sites2’s public IP address. If you would like the configuration files for the basic setup including eBGP let me know and I will share them with you.

Lab Objectives:

  1. Setup IKE Phase 1 Tunnel using the following parameters:
  • Hashing= SHA
  • Authentication= pre-shared key
  • DH Group= 5
  • Lifetime= Default
  • Encryption= AES-128

2. Setup IKE Phase 2 Tunnel using the following parameters:

  • Create a transform set using esp-des and esp-md5-hmac
  • Create a crypto map with the peer address, reference the transform set and access-list
  • Create an access-list to identify interesting traffic to encrypt using the IPSec tunnel

Lab Configuration

With connectivity already in place, we should be able to ping each sites public IP address across the Internet.

Site 1:

Site1#ping 96.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 96.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms

Site 2:

Site2#ping 86.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 86.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/40 ms

Also, we should try and ping each LAN PC. This is to show that at the moment we have no way of reaching each sites LAN but when we setup IPSec our data will be encapsulated and encrypted using the public addresses.

PC1 (Site 1)

No dice as expected!

PC1> ping 196.168.1.2
196.168.1.2 icmp_seq=1 timeout
196.168.1.2 icmp_seq=2 timeout
196.168.1.2 icmp_seq=3 timeout
196.168.1.2 icmp_seq=4 timeout
196.168.1.2 icmp_seq=5 timeout

PC2 (Site 2)

Same result!

PC2> ping 172.16.0.2
172.16.0.2 icmp_seq=1 timeout
172.16.0.2 icmp_seq=2 timeout
172.16.0.2 icmp_seq=3 timeout
172.16.0.2 icmp_seq=4 timeout
172.16.0.2 icmp_seq=5 timeout

IKE Phase 1

Keeping in mind the Lab Objectives lets set up each of the IKE Phase 1 requirements.

First, we need to setup a isakmp policy.

Site1(config)#crypto isakmp policy 1

A good way to remember what parameters can be set in IKE Phase 1 is the word HAGLE.

H=Hash

A=Authenication

G=DH Group

L=Lifetime

E=Encryption
Site1(config-isakmp)#hash sha
Site1(config-isakmp)#authentication pre-share
Site1(config-isakmp)#group 5
Site1(config-isakmp)#encryption aes 128

I left the lifetime of the tunnel to the default here for this lab. Note that the parameters need to match on each site for the IKE Phase 1 tunnel to come up.

Next step is to set the pre shared key that will be used between the two sites. Lets use mrrobot.

Site1(config)#crypto isakmp key mrrobot address 96.1.1.1

Here we have entered the shared key to use and also the peer address we want to use it within our case Site 2.

IKE Phase 2

This tunnel is the IPSec tunnel which will be used to encrypt user data.

Site1(config)#crypto ipsec transform-set myset esp-des esp-md5-hmac

Here we are using a transform-set with the name myset given to it and we are using esp-des for encryption (weak very weak but it will do for the lab)  and esp-md5-hmas for hashing and integrity.

Next, we will set up a crypto map

Site1(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Site1(config-crypto-map)#set peer 96.1.1.1
Site1(config-crypto-map)#set transform-set myset
Site1(config-crypto-map)#match address 100
Site1(config-crypto-map)#exit

Here we are telling the crypto map called mymap what peer to setup the tunnel with, the transform set to use and what interesting traffic to match.

Next setup the access-list that the crypto map is using.

Site1(config)#access-list 100 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255

With this access-list we are telling it to match traffic from Site 1 LAN with a destination of Site 2 LAN any other traffic that does not match this access list will be sent unencrypted.

Lastly we need to apply the crypto map to the public facing interface.

Site1(config)#int fa0/0
Site1(config-if)#crypto map mymap
*Mar 1 01:12:06.375: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Ok that is everything we need to configure on Site 1 for IPSec. I am not going to go through the same for Site 2 as it is pretty much the same but in reverse.

Testing

So lets test this out to see if it works if it does traffic that we tried to send earlier from Site 1’s LAN should now be successful.

Ping from PC1 to PC2

PC1> ping 192.168.0.2
192.168.0.2 icmp_seq=1 timeout
192.168.0.2 icmp_seq=2 timeout
84 bytes from 192.168.0.2 icmp_seq=3 ttl=62 time=36.000 ms
84 bytes from 192.168.0.2 icmp_seq=4 ttl=62 time=39.000 ms
84 bytes from 192.168.0.2 icmp_seq=5 ttl=62 time=43.000 ms

Success ! The first two packets that failed could be due to ARP and/or the time it took for the two Tunnels to be built.

And just to show the other side is also working.

PC2> ping 172.16.0.2
84 bytes from 172.16.0.2 icmp_seq=1 ttl=62 time=36.000 ms
84 bytes from 172.16.0.2 icmp_seq=2 ttl=62 time=42.000 ms
84 bytes from 172.16.0.2 icmp_seq=3 ttl=62 time=50.000 ms
84 bytes from 172.16.0.2 icmp_seq=4 ttl=62 time=49.000 ms
84 bytes from 172.16.0.2 icmp_seq=5 ttl=62 time=46.000 ms

Show commands

IKE Phase 1 Tunnel

Site1#show crypto isakmp sa

dst          src                     state               conn-id    slot         status
86.1.1.1  96.1.1.1             QM_IDLE      1                  0             ACTIVE

Here we see that we have an IKE Phase Tunnel Active.

IKE Phase 2 Tunnel

Site1#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: mymap, local addr 86.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 96.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 86.1.1.1, remote crypto endpt.: 96.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD796A48B(3616973963)

A lot more information in the IPSec output. We can see what interface the crypto map is on. What is the local and remote addresses that are getting encrypted? The current peer. The number of packets sent and the number encrypted.

eBGP Configuration

As requested from by Muadiv here is the BGP configuration on each router for this lab.

Site 1:

router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 86.1.1.2 remote-as 2
no auto-summary

Internet Router:

router bgp 2
no synchronization
bgp log-neighbor-changes
network 86.1.1.0 mask 255.255.255.0
network 96.1.1.0 mask 255.255.255.0
neighbor 86.1.1.1 remote-as 1
neighbor 96.1.1.1 remote-as 3
no auto-summary

Site 2:

router bgp 3
no synchronization
bgp log-neighbor-changes
neighbor 96.1.1.2 remote-as 2
no auto-summary

 

Labs Labs Labs…

For me labs are the most important part of my pursuit of certification. I am a visual learner more than anything else and I find doing labs is a great way to learn and it also helps you remember topics and commands. Another important part is troubleshooting your lab, when you first configure something chances are it wont work fist time round so you have to think about what steps you have taken in configuring the lab and start troubleshooting the issues. What a great way to learn.

So what is the best way to practice using labs? The lab rental model is good if you don’t have the physical hardware, it can be expensive to buy and run in your own home lab, the other option is to run virtual labs on your own PC at home and its the one I use.

I built my own PC which was another great learning experience. It has a i5 Intel processor, with 16G of RAM, 250G SSD, ASRock Motherboard….I wont bore you with all the details but its a powerful enough machine.

So what is the best software out there to run on your own PC? I use a combination of software depending on what I am doing. I use Packet Tracer for every quick and basic labs. I also run GNS3 which is for more complex labs which I used a lot for my CCNP R&S certification exams.

But the latest one I am using is Unified Networking Labs or UNL for short. To run the UNL software you must use VMWare or VirtualBox and need a powerful PC depending on the complexity of the lab you want to run. You can download the software from http://www.unetlab.com/ if you are interested in trying it out.

So why UNL? Well it supports a lot of the security appliances you need to use for the CCNA Security exam. ACS, ASA, ASAv, Cisco Switches IOU, Cisco Routers to name a few. It is really important to get some hands on experience on the ASA in particular and also its GUI interface the ASDM.

Unified Network Labs

Below I will show you what it looks like and also setup the ASA and a Virtual Windows Machine to access the ASDM from all within the UNL system.

I wont go into detail on how to install the software as the UNL website does a really good job of that and also provides videos as well.

unl_login
UNL Login Screen

Once you start the VMWare for UNL you log onto the system via your browser. Username/Password is admin/unl.

Once logged in you’ll get the following screen.

addlab

To create a new lab click on Actions and ‘Add a new lab’

After naming your lab and saving it it will appear in your list, double click on the lab and then select Open.

selectlab

On the left hand side click the plus button to add an object and select node. Select ASAv from the list to add it to the lab, do this again and select Windows to add a virtual Windows machine. Next select the link icon to add a link between the nodes. asdm

Next step is to Start the nodes by right clicking on them and selecting Start. Now the fun begins configuring the ASAv and Windows machine so we can not only configure the ASAv via the CLI but also using the ASDM GUI.

First thing we need to do is configure the ASAv node. I am using putty here.

asaputty

First step, configure the management interface that is connected to the Windows machine. Here I gave it an IP address of 192.168.1.200/24.

I then enable http server and also told the ASA what network is allowed to connect to it.

What isn’t shown in the screen capture above is configuring a username and password to use via the ASDM. The command for this is:

#username admin password admin123 privilege 15

You also need to tell the ASDM how to authenticate the user and what database to use. I’m just using the local ASA one.

#aaa authenticate http console LOCAL

That is it ! now save your configuration using wr command.

Next the Windows machine. I connect to it via Remote Desktop Viewer (I run Linux on my home PC)

windows

Nothing special here apart from the fact that you need to have the Windows machine on the same network as the ASA. Open up Network Connections and enter in an IP address in the 192.168.1.0 subnet. I used 192.168.1.201/24.

Once configured run a quick ping test.

ping

SUCCESS !

Double click on the ASDM icon to launch the ASDM and configure the IP address as the IP address you gave the management interface on the ASAv in my case 192.168.1.200 and the username/password of admin/admin123.

 

asdmhs

Bingo ! I am now connected to the ASAv via the ASDM GUI.

I hope you find this useful. Any questions just ask in the comments section.

NOTE: You need to download and install the different images you want to use in the UNL system via the Cisco website just like you have to do with GNS3. The UNL website has a HOW-TO guide on how to import them into the system.

ARP Poisoning Lab

It has been a couple of weeks if not more since I last posted on my study blog. Life getting in the way as it does. But I hope to get back on track now.

In my last post I talked about ARP Poisoning and how it works as a Man In The Middle attack. So how do you stop this sort of an attack?

Does something called DHCP Spoofing ring a bell? I previously talked about it and how to stop it in the DHCP Spoofing post. So if you need a refresher click on the link and then come back here.

So we can use the DHCP Snooping database to help us also stop ARP poisoning after all the database keeps mappings of IP addresses to MAC addresses and what port they were learnt on. So for this to work you need to already have DHCP Snooping enabled. If you are on a non-DHCP network you can setup ARP ACL lists to do the mappings instead.

To enable ARP Inspection you need to enable it in Global Config mode  and it is done on a per vlan basis.

#config t

#ip arp inspection vlan 123

Just like with DHCP Snooping untrusted ports will DROP any traffic that does not match the IP address to MAC address mapping on that port. And just like with DHCP Snooping you can set ports (Interfaces) to be trusted. If a port is changed to a trust port it will not be subject to inspection and it will allow the traffic to flow. To change a port to a trusted port go into the interface.

#interface fa0/2

#ip arp inspection trust

And that is it.

To finish out you can enable ARP Inspection on Access, Trunk and EtherChannel ports.

Port Security Lab

In a previous post I described what a CAM Table Overflow Attack was and how to mitigate it using port security. So let get straight into it.

Topology I’m using

startPS

Straight forward topology PC-1 and PC-2 are on the same subnet.

PC-1:

  • IP Address 192.168.1.1
  • MAC Address: 0060.3E94.1111

PC-2:

  • IP Address: 192.168.1.2
  • MAC Address: 0001.C710.2222

I changed the MAC addresses manually in the PC configuration to end with .1111 for PC-1 and .2222 for PC-2 as it makes it easier to know what MAC belongs to what PC.

To stop a CAM Table Overflow Attack from being successful we can and should enable port security on the switch.

First lets look at the MAC address table as it stands on the switch. We can see the MAC addresses from PC-1 and PC-2 and what ports they are connected on.

SP_mac_table

The next step is to configure port security.

Switch(config)#interface range fa0/1 – 2

Switch(config-if-range)#switchport mode access

Switch(config-if-range)#switchport port-security

Switch(config-if-range)#switchport port-security maximum 1

Switch(config-if-range)#switchport port-security violation shutdown

Switch(config-if-range)#switchport port-security mac-address sticky

Switch(config-if-range)#end

port-sec_config

Thats all there is to it. Remember that the port cannot be a dynamic port and you must use the switchport mode command to change the port to an access port.

To verify the configuration use the following show commands (output below).

  • show mac address-table
  • show port-security address
  • show port-security

Note below that instead of the Type being Dynamic it has changed to Static this is because we used the command of mac-address sticky above.

SPshowcommands

To force a violation in Packet Tracker we can go into one of the PCs configuration and change the MAC address of the PC this should cause a psecure violation.

pcmacconfig

I changed PC-1 here so that its MAC address is now ending with .3333 instead of .1111 this should cause the port to shutdown.

portsecviolation

As you can see from the output above the link has changed to down.

Also if you run the same commands from earlier we can see that Fa0/1 has a SecurityViolation count of 1.

If you run the command #show port-security interface fa0/1 we can get more details on the violation.

  • Port Status : Secure – shutdown
  • Last Source Address:Vlan: 0060.3E94.3333:1
  • Security Violation Count: 1

A closer look at the output we can see the port status is shutdown and the last MAC address on the port was from 0060.3E94.3333 and it caused the violation and lastly the count has gone up to 1.

To bring the port back up you have to go into the interface that is down and run:

  • #shutdown
  • #no shutdown

OR

You can use the errdisable command but I can’t show you that as unfortunately Packet Tracer doesn’t support the command. The command will automatically bring the interface back up after X amount of time.

DHCP Snooping Lab

Packet Tracer

Before we get started with this Lab I want to let you know about Packet Tracer. Packet Tracer is a great piece of software from Cisco and I’m running the latest version of it which is version 7.0. It can be limited in some areas but we can run a lot of the labs that are needed for the CCNA level exam with it. For labs that are more complex you can use GNS3 or if you have access to real equipment in your work place you can set up a nice little lab with some real equipment. And then there is of course Rack Rentals if you want to use real equipment but you don’t have the budget to spend on getting second hand gear.

You can download Packet Tracer from https://www.netacad.com/ simply setup a free account and download the version for the operating system you are using, in my case I have it running on a Linux machine.

DHCP Snooping Lab

Objective:

  • Setup a router as a DHCP server
  • Set the default gateway to 192.168.1.1/24
  • Exclude the following IP address range from DHCP: 192.168.1.1 – 192.168.1.10
  • Connect the router to a Switch
  • Connect 3 hosts (PCs) to the Switches and set them up to request IP address via DHCP
  • Configure the switch with DHCP Snooping
  • Configure the interface connected to the router as a Trusted Port.

When you first start Packet Tracer you’ll get the following screen:

PT_Startscreen

On the bottom you have a list of icons for different devices. Here you select the devices and drag them onto the main window.

networkdiagram

This is what the lab should look like.

Lets configure the Router first. Click on the Router and select the CLI tab. Note that I have already configured interface Fa0/0 with the IP address 192.168.1.1 and did a no shutdown on the port to bring it up.

Setting up the router as a DHCP Server:

Router#config t

Router(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10

Router(config)#ip dhcp pool MRROBOT

Router(dhcp-config)#network 192.168.1.0 255.255.255.0

Router(dhcp-config)#end

Router#

Screenshot-Router1

Now that the Router is setup to hand out IP address from the 192.168.1.0/24 network lets configure the PCs to request IP address from the Router using DHCP.

First click on PC-0 and select the Config tab. Select DHCP (default is Static) now the PC will send a broadcast DHCP Discovery message onto the local LAN to request an IP address.

PC Configuration

Here we can see that the router gave it 192.168.1.11 which is the first IP address it is allowed to give out from its pool. Remember we excluded addresses 192.168.1.1 to 192.168.1.10 in the Router configuration. Repeat this for each PC you have connected to the Switch.

PCipconfig

Next step is to enable DHCP snooping on the switch to stop rogue DHCP servers from successfully operating on the network. Enter the following commands.

Switch#config t

Switch(config)#ip dhcp snooping

Switch(config)#ip dhcp snooping vlan 1

Switch(config)#end

SwtichDHCPSnopp

Lets test to see if this has worked. You might have noticed I haven’t enabled any ports on the Switch yet to be trusted ports. I’ll release the IP address that is on PC-0 and request a new one. It should fail. And what do you know it did.

PCDHCPFail

Lets fix this so that the port connected to the Router on the Switch is a Trusted port which will then allow all DHCP messages through, can you remember what they are? Remember our friend called DORA?

The Router is attached to Fa0/4 on the Switch. Lets make it a trust port.

Switch#config t

Switch(config)#int fa0/4

 

Switch(config-if)#ip dhcp snooping trust

Switch(config-if)#end

SwitchTrustportconf

Time to test it out to see if it was successful.

PCDHCPSucc

I did a ipconfig /release followed by ipconfig /renew and we are back in business. The PC is getting an IP address again via DHCP.

And to finish off the lab some show commands.

  • show ip dhcp snooping bindings
  • show ip dhcp snooping

Switch#show ip dhcp snooping binding

Switch#show ip dhcp snooping

showcommands

These are useful commands to check the bindings of MAC address to IP address and what VLAN and Interface they’re on.

In the second command you can see what Interfaces are Trusted and what are not.

Any questions let me know in the comments.