Lab 25: DHCP Snooping — Blocking Rogue Servers
Play both attacker and defender: add a rogue DHCP server to the LAN, watch it poison clients — then enable DHCP snooping and watch the switch silently kill the attack. Difficulty: Intermediate+ · Time: ~30 min.
Lab objectives
- See the rogue-DHCP attack succeed first (the scary part)
- Enable DHCP snooping globally and per-VLAN
- Trust only the legitimate server port
- Verify the binding table and blocked attack
Topology & addressing
1× 2960 switch, legitimate DHCP server (Fa0/24, 192.168.1.5 with a proper pool), rogue server (another PT Server on Fa0/10 with a fake pool + fake gateway), 2× client PCs on DHCP.
Step-by-step configuration
| First: renew a client with BOTH servers active | Sometimes the rogue answers first — clients get the fake gateway. Attack demonstrated. |
ip dhcp snoopingip dhcp snooping vlan 1 | Enable the feature globally and for the VLAN |
interface fa0/24ip dhcp snooping trust | ONLY the legitimate server's port is trusted |
| Renew clients again | Only real leases arrive now — rogue offers dropped at the switch |
Verification
show ip dhcp snooping confirms the config and trusted port; show ip dhcp snooping binding lists each legitimate lease (IP-MAC-port). Renew clients repeatedly — they now always get the real server's settings. The rogue server still runs, but its packets die at the untrusted port: attack neutralised.
Next lab: labs hub · test yourself: CCNA practice test.
Frequently asked questions
Why show the attack before the fix?
Seeing clients actually receive a fake gateway makes the threat concrete — and makes the one-command fix feel as important as it is.
Which ports should be trusted?
Only ports toward legitimate DHCP servers and uplinks carrying DHCP from them — every user-facing port stays untrusted.
What is the binding table used for beyond snooping?
It feeds Dynamic ARP Inspection and IP Source Guard — validating ARP and source IPs against real leases for layered Layer 2 security.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.