Before we get started with this Lab I want to let you know about Packet Tracer. Packet Tracer is a great piece of software from Cisco and I’m running the latest version of it which is version 7.0. It can be limited in some areas but we can run a lot of the labs that are needed for the CCNA level exam with it. For labs that are more complex you can use GNS3 or if you have access to real equipment in your work place you can set up a nice little lab with some real equipment. And then there is of course Rack Rentals if you want to use real equipment but you don’t have the budget to spend on getting second hand gear.
You can download Packet Tracer from https://www.netacad.com/ simply setup a free account and download the version for the operating system you are using, in my case I have it running on a Linux machine.
DHCP Snooping Lab
- Setup a router as a DHCP server
- Set the default gateway to 192.168.1.1/24
- Exclude the following IP address range from DHCP: 192.168.1.1 – 192.168.1.10
- Connect the router to a Switch
- Connect 3 hosts (PCs) to the Switches and set them up to request IP address via DHCP
- Configure the switch with DHCP Snooping
- Configure the interface connected to the router as a Trusted Port.
When you first start Packet Tracer you’ll get the following screen:
On the bottom you have a list of icons for different devices. Here you select the devices and drag them onto the main window.
This is what the lab should look like.
Lets configure the Router first. Click on the Router and select the CLI tab. Note that I have already configured interface Fa0/0 with the IP address 192.168.1.1 and did a no shutdown on the port to bring it up.
Setting up the router as a DHCP Server:
Router(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10
Router(config)#ip dhcp pool MRROBOT
Router(dhcp-config)#network 192.168.1.0 255.255.255.0
Now that the Router is setup to hand out IP address from the 192.168.1.0/24 network lets configure the PCs to request IP address from the Router using DHCP.
First click on PC-0 and select the Config tab. Select DHCP (default is Static) now the PC will send a broadcast DHCP Discovery message onto the local LAN to request an IP address.
Here we can see that the router gave it 192.168.1.11 which is the first IP address it is allowed to give out from its pool. Remember we excluded addresses 192.168.1.1 to 192.168.1.10 in the Router configuration. Repeat this for each PC you have connected to the Switch.
Next step is to enable DHCP snooping on the switch to stop rogue DHCP servers from successfully operating on the network. Enter the following commands.
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 1
Lets test to see if this has worked. You might have noticed I haven’t enabled any ports on the Switch yet to be trusted ports. I’ll release the IP address that is on PC-0 and request a new one. It should fail. And what do you know it did.
Lets fix this so that the port connected to the Router on the Switch is a Trusted port which will then allow all DHCP messages through, can you remember what they are? Remember our friend called DORA?
The Router is attached to Fa0/4 on the Switch. Lets make it a trust port.
Switch(config-if)#ip dhcp snooping trust
Time to test it out to see if it was successful.
I did a ipconfig /release followed by ipconfig /renew and we are back in business. The PC is getting an IP address again via DHCP.
And to finish off the lab some show commands.
- show ip dhcp snooping bindings
- show ip dhcp snooping
Switch#show ip dhcp snooping binding
Switch#show ip dhcp snooping
These are useful commands to check the bindings of MAC address to IP address and what VLAN and Interface they’re on.
In the second command you can see what Interfaces are Trusted and what are not.
Any questions let me know in the comments.