Topic

DHCP Snooping practice labs

7 hands-on DHCP Snooping scenarios you build in your own Cisco Modeling Labs instance and grade against the answer key. Focused DHCP Snooping configuration and troubleshooting practice for CCNA and CCNP.

AdvancedUnlock

L2 Security Troubleshooting Capstone: Trust Boundary

Advanced CCNP Layer-2 security troubleshooting on a single access switch. Diagnose and correct an inverted trust boundary that breaks DHCP and ARP validation: DHCP Snooping and Dynamic ARP Inspection (DAI) are enabled for VLAN 10, but the uplink is not trusted for DHCP and a host port is incorrectly trusted for ARP. Use show commands to find the issues, fix the trust boundary, and restore client connectivity without changing router/host configs.

Track
CCNA
Duration
55 min
AdvancedUnlock

Dynamic ARP Inspection — Validation Checks

Harden Dynamic ARP Inspection (DAI) on an access switch by enabling additional packet validation checks: source MAC, destination MAC, and IP sanity. The uplink toward the DHCP server/gateway is trusted, access ports are untrusted. DHCP Snooping and baseline DAI are already enabled for VLAN 10; your task is to add the global DAI validation knobs and verify the change deterministically via show commands.

Track
CCNA
Duration
25 min
IntermediateUnlock

Errdisable Recovery for L2 Security

CCNP Layer 2 Security Hardening, Lab 9/10. You will enable automatic errdisable recovery on a campus access switch so ports shut down by Layer-2 security (Dynamic ARP Inspection, DHCP rate-limit, or storm control) can return to service automatically after a safe interval. The switch already enforces DHCP snooping with a correct trust boundary, DAI validation, and broadcast/multicast/unicast storm-control with shutdown actions. Your job: turn on errdisable auto-recovery for arp-inspection, dhcp-rate-limit, and storm-control, and set the interval to 60 seconds. Verify with show errdisable recovery.

Track
CCNA
Duration
35 min
IntermediateUnlock

DHCP Snooping Rate Limiting

Harden the Layer-2 access edge by rate-limiting DHCP messages on untrusted ports. SW1 already has DHCP snooping enabled for VLAN 10 with the uplink trusted. Your task is to apply a per-interface rate limit on the host-facing access ports to blunt DHCP starvation attacks while leaving the trusted uplink unlimited.

Track
CCNA
Duration
30 min
BeginnerUnlock

DHCP Snooping Trust Boundary

Harden the Layer-2 access edge by enabling DHCP Snooping on a single access switch and placing the trust boundary only toward the legitimate DHCP server/gateway. Validate with show commands and end-host connectivity.

Track
CCNA
Duration
30 min
AdvancedUnlock

Defense in Depth: DHCP Snooping + DAI

Harden the Layer-2 access edge by deploying a unified trust boundary for DHCP Snooping and Dynamic ARP Inspection (DAI) on a single access switch. R1 is both the default gateway and DHCP server for VLAN 10. You will enable DHCP Snooping and DAI globally for VLAN 10 and set the same uplink interface as trusted for both features, leaving host-facing access ports untrusted. This lab emphasizes the dependency and synergy between DHCP Snooping and DAI for blocking rogue DHCP/ARP activity. Grade scope: SW1 config only.

Track
CCNA
Duration
40 min
IntermediateUnlock

Dynamic ARP Inspection

Harden the Layer-2 access edge by enabling Dynamic ARP Inspection (DAI) on a single access switch. DHCP Snooping is already in place and the uplink toward the DHCP server/gateway is trusted. Your job: enable DAI for VLAN 10 and trust the uplink so ARP on host-facing ports is validated against the DHCP Snooping bindings.

Track
CCNA
Duration
35 min

Looking for something else? Browse the full lab archive or see today's daily lab.