Packet Tracer Labs

Lab 25: DHCP Snooping — Blocking Rogue Servers

Play both attacker and defender: add a rogue DHCP server to the LAN, watch it poison clients — then enable DHCP snooping and watch the switch silently kill the attack. Difficulty: Intermediate+ · Time: ~30 min.

Lab objectives

  • See the rogue-DHCP attack succeed first (the scary part)
  • Enable DHCP snooping globally and per-VLAN
  • Trust only the legitimate server port
  • Verify the binding table and blocked attack

Topology & addressing

1× 2960 switch, legitimate DHCP server (Fa0/24, 192.168.1.5 with a proper pool), rogue server (another PT Server on Fa0/10 with a fake pool + fake gateway), 2× client PCs on DHCP.

Step-by-step configuration

First: renew a client with BOTH servers activeSometimes the rogue answers first — clients get the fake gateway. Attack demonstrated.
ip dhcp snooping
ip dhcp snooping vlan 1
Enable the feature globally and for the VLAN
interface fa0/24
ip dhcp snooping trust
ONLY the legitimate server's port is trusted
Renew clients againOnly real leases arrive now — rogue offers dropped at the switch

Verification

show ip dhcp snooping confirms the config and trusted port; show ip dhcp snooping binding lists each legitimate lease (IP-MAC-port). Renew clients repeatedly — they now always get the real server's settings. The rogue server still runs, but its packets die at the untrusted port: attack neutralised.

Next lab: labs hub · test yourself: CCNA practice test.

Frequently asked questions

Why show the attack before the fix?

Seeing clients actually receive a fake gateway makes the threat concrete — and makes the one-command fix feel as important as it is.

Which ports should be trusted?

Only ports toward legitimate DHCP servers and uplinks carrying DHCP from them — every user-facing port stays untrusted.

What is the binding table used for beyond snooping?

It feeds Dynamic ARP Inspection and IP Source Guard — validating ARP and source IPs against real leases for layered Layer 2 security.

VS
Vipul Sir — Lead Instructor, Attila Technologies20+ years in Cisco networking. Teaching CCNA, CCNP, CCIE & CyberOps in Ahmedabad since 2004.

Want hands-on training?

Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.

Start your networking career with Attila Technologies

Hands-on Cisco training, real lab devices and placement support in Ahmedabad.