/
Sign up to Ping Labz!
Already have an account? Sign in
Labs

Lab sec-05 - DHCP Snooping and Dynamic ARP Inspection

J
3 min read
Lab sec-05 - DHCP Snooping and Dynamic ARP Inspection
Table of Contents

DHCP snooping watches DHCP traffic on a switch and builds a binding table of legitimate IP-MAC-port mappings. Dynamic ARP Inspection (DAI) uses that binding table to verify ARP packets: if an ARP claims an IP that does not match a snooping entry, the ARP is dropped. Together they stop DHCP starvation attacks, rogue DHCP servers, and ARP poisoning. This lab configures both on SW1.

What you will learn

  • The DHCP snooping binding table - what it tracks and how
  • Trusted vs untrusted ports
  • Configuring DAI to verify ARPs against the binding table
  • How to read show ip dhcp snooping and show ip arp inspection

What this lab does NOT cover

  • IP Source Guard (related feature, builds on DHCP snooping)
  • Static DHCP snooping bindings for hosts with manual IPs

Topology

Download the CCNA Base Topology .yaml

3 iol-xe routers + 1 alpine + 1 ioll2-xe managed switch + 1 unmanaged switch.

Download CCNA Base Topology

Written by

J

View all posts
More from Ping Labz
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.