Tag: DHCP Snooping Lab

DHCP Snooping Lab

Packet Tracer

Before we get started with this Lab I want to let you know about Packet Tracer. Packet Tracer is a great piece of software from Cisco and I’m running the latest version of it which is version 7.0. It can be limited in some areas but we can run a lot of the labs that are needed for the CCNA level exam with it. For labs that are more complex you can use GNS3 or if you have access to real equipment in your work place you can set up a nice little lab with some real equipment. And then there is of course Rack Rentals if you want to use real equipment but you don’t have the budget to spend on getting second hand gear.

You can download Packet Tracer from https://www.netacad.com/ simply setup a free account and download the version for the operating system you are using, in my case I have it running on a Linux machine.

DHCP Snooping Lab


  • Setup a router as a DHCP server
  • Set the default gateway to
  • Exclude the following IP address range from DHCP: –
  • Connect the router to a Switch
  • Connect 3 hosts (PCs) to the Switches and set them up to request IP address via DHCP
  • Configure the switch with DHCP Snooping
  • Configure the interface connected to the router as a Trusted Port.

When you first start Packet Tracer you’ll get the following screen:


On the bottom you have a list of icons for different devices. Here you select the devices and drag them onto the main window.


This is what the lab should look like.

Lets configure the Router first. Click on the Router and select the CLI tab. Note that I have already configured interface Fa0/0 with the IP address and did a no shutdown on the port to bring it up.

Setting up the router as a DHCP Server:

Router#config t

Router(config)#ip dhcp excluded-address

Router(config)#ip dhcp pool MRROBOT





Now that the Router is setup to hand out IP address from the network lets configure the PCs to request IP address from the Router using DHCP.

First click on PC-0 and select the Config tab. Select DHCP (default is Static) now the PC will send a broadcast DHCP Discovery message onto the local LAN to request an IP address.

PC Configuration

Here we can see that the router gave it which is the first IP address it is allowed to give out from its pool. Remember we excluded addresses to in the Router configuration. Repeat this for each PC you have connected to the Switch.


Next step is to enable DHCP snooping on the switch to stop rogue DHCP servers from successfully operating on the network. Enter the following commands.

Switch#config t

Switch(config)#ip dhcp snooping

Switch(config)#ip dhcp snooping vlan 1



Lets test to see if this has worked. You might have noticed I haven’t enabled any ports on the Switch yet to be trusted ports. I’ll release the IP address that is on PC-0 and request a new one. It should fail. And what do you know it did.


Lets fix this so that the port connected to the Router on the Switch is a Trusted port which will then allow all DHCP messages through, can you remember what they are? Remember our friend called DORA?

The Router is attached to Fa0/4 on the Switch. Lets make it a trust port.

Switch#config t

Switch(config)#int fa0/4


Switch(config-if)#ip dhcp snooping trust



Time to test it out to see if it was successful.


I did a ipconfig /release followed by ipconfig /renew and we are back in business. The PC is getting an IP address again via DHCP.

And to finish off the lab some show commands.

  • show ip dhcp snooping bindings
  • show ip dhcp snooping

Switch#show ip dhcp snooping binding

Switch#show ip dhcp snooping


These are useful commands to check the bindings of MAC address to IP address and what VLAN and Interface they’re on.

In the second command you can see what Interfaces are Trusted and what are not.

Any questions let me know in the comments.