The Lab Exercise
Many cybersecurity attacks use established protocols like DHCP and ARP to find a way to learn information and cause problems in a network. Two switch features, DHCP Snooping and Dynamic ARP Inspection (DAI), prevent attacks based on DHCP and ARP, respectively. Both use a similar configuration model to enable the feature in a VLAN and then either trust or not trust each switch port.
DAI relies on a list of valid IP/MAC address pairs. The list includes IP/MAC address pairs considered to be legitimate in the subnet. DAI then monitors incoming ARP messages on untrusted ports, comparing the ARP messages to the table of legitimate address pairs and filtering the messages that do not conform to the entries in the table.
DAI uses a table built by DHCP Snooping or by ARP ACLs. For this lab, configure DHCP Snooping correctly, which causes DHCP Snooping to create a table called the DHCP Snooping Binding Table. This table lists the IP/MAC address pairs for any host that successfully leased an IP address. Then also configure DAI so that it uses the DHCP Snooping Binding table to make its decisions.

For this lab, take these specific steps.
- Configure DHCP Snooping as follows:
- Enable DHCP Snooping in VLAN 10.
- Switch SW1 operates as a layer 2 switch, not a layer 3 switch, so disable the insertion of DHCP Option 82 headers.
- Configure (or use the default) so each switch port is either trusted or untrusted for DHCP Snooping.
- Configure DAI as follows:
- Enable DAI in VLAN 10.
- Analyze the devices attached to the switch and ask yourself: Which devices will have entries in the DHCP Snooping Binding table? Then, make a note of those devices and switch ports.
- Configure (or use the default) so each switch port is either trusted or untrusted for DAI Snooping.
Initial Configurations
The initial configuration on switch SW1 places all four of its ports into the same VLAN (VLAN 10). In addition, the router has an IP address configured on its LAN interface (G0/0) so that it can ping the DHCP server’s address on the LAN. The router should also be able to ping the client PCs once they lease an IP address.
|
hostname SW1 ! vlan 10 ! interface range FastEthernet0/1-3 switchport access vlan 10 switchport mode access spanning-tree portfast ! interface GigabitEthernet0/1 switchport access vlan 10 switchport mode access spanning-tree portfast |
Example 1: SW1 Config
|
hostname R1 ! interface GigabitEthernet0/0 ip address 172.16.10.1 255.255.255.0 no shutdown ! interface GigabitEthernet0/2/0 ip address 172.16.12.1 255.255.255.0 no shutdown ! router ospf 1 network 172.16.0.0 0.0.255.255 area 0 |
Example 2: R1 Config
The PCs each act as a DHCP client, expecting to lease an IP address and learn the mask and default gateway settings from the DHCP server. You can assume the DHCP Server shown in the figure works. However, to be complete, Example 5 shows the IOS DHCP server configuration that you could use to support this lab. (The CPT and CML files supplied with this lab use this same configuration.)
|
hostname DHCP_Server ! ip dhcp excluded-address 172.16.10.1 172.16.10.100 ! ip dhcp pool subnet1 network 172.16.10.0 255.255.255.0 dns-server 172.16.10.9 default-router 172.16.10.1 domain-name example.com ! interface GigabitEthernet0/0 ip address 172.16.10.9 255.255.255.0 no shutdown ! router ospf 1 network 0.0.0.0 255.255.255.255 area 0 |
Example 3: DHCP Server (IOS Router)
Let me tell You a sad story ! There are no comments yet, but You can be first one to comment this article.
Write a comment