CCNA 200-301 Labs - Simsfornet

CCNA 200-301 LABS

What are Labs?

Lab questions are practical, hands-on tasks where candidates configure or troubleshoot a network device (such as a router or switch) in a simulated environment.

These questions simulate a CLI (Command-Line Interface) of Cisco devices.

You can interact with commands like on a real device, such as configuring interfaces, VLANs, or routing protocols.

Tasks and Grading:

The task will specify a problem to solve or a configuration to complete.
Candidates are graded on their ability to achieve the desired outcome, not necessarily on the exact sequence of commands.
Grading is typically automated and based on the correctness of the configuration or troubleshooting.
Partial credit may be awarded for partially completed tasks, depending on the Lab.

Lab Topics:

These are the topics of Labs currently included in 200-301 CCNA v1.1

1.0 Network Fundamentals

1.6 Configure and verify IPv4 addressing and subnetting
1.8 Configure and verify IPv6 addressing and prefix

2.0 Network Access

2.1 Configure and verify VLANs (normal range) spanning multiple switches

2.1.a Access ports (data and voice)
2.1.b Default VLAN
2.1.c InterVLAN connectivity

2.2 Configure and verify interswitch connectivity

2.2.a Trunk ports
2.2.b 802.1Q
2.2.c Native VLAN

2.3 Configure and verify Layer 2 discovery protocols (Cisco Discovery Protocol and LLDP)

2.4 Configure and verify (Layer 2/Layer 3) EtherChannel (LACP)

3.0 IP Connectivity

3.3 Configure and verify IPv4 and IPv6 static routing

3.3.a Default route
3.3.b Network route
3.3.c Host route
3.3.d Floating static

3.4 Configure and verify single area OSPFv2

3.4.a Neighbor adjacencies
3.4.b Point-to-point
3.4.c Broadcast (DR/BDR selection)
3.4.d Router ID

4.0 IP Services

4.1 Configure and verify inside source NAT using static and pools
4.2 Configure and verify NTP operating in a client and server mode
4.6 Configure and verify DHCP client and relay

5.0 Security Fundamentals

5.3 Configure and verify device access control using local passwords
5.6 Configure and verify access control lists
5.7 Configure and verify Layer 2 security features:

DHCP snooping
Dynamic ARP inspection
Port security

We have grouped similar and related topics together in our Labs.

Study Tips:

Master the Concepts First: Focus on understanding the core networking principles before diving into practice. A strong foundation will make configurations much easier.
Choose the Right Study Material: Use a trusted resource like the CCNA 200-301 Official Cert Guide Library by Wendell Odom to deepen your knowledge.
Practice Labs Daily: Dedicate time to practicing at least one Lab daily using our site. Our labs are designed to cover every possible configuration topic in the 200-301 CCNA v1.1, giving you the confidence to excel.
Test Your Knowledge: Complete the quizzes at the end of each topic. Aim to score 100% on these to ensure you've solidified your understanding. Every correct answer brings you closer to success!
Refine Your Efficiency: Revisit labs regularly to sharpen your skills. Strive to complete each Lab within 7–10 minutes, as time management is critical during the exam.

Keep Practicing and Stay Determined! Every step you take brings you closer to achieving your CCNA certification. You've got this, good luck!

Packet Tracer Activity Files:

Our labs include packet tracer activity files that track your progress as you configure the network. Here’s a short guide on how to use them.

Download the Zip file by clicking the download button at the end of the sim.
Unzip the file and open the .pka file.
Complete all tasks of the lab.
A Completion percentage at the bottom will show your progress.
You need to save your configuration on all the devices to get it to 100%.
Once done, click the ‘Check Results’ button at the bottom of the dialog.

How to download Cisco’s Packet Tracer

You’ll need to download the free Cisco Packet Tracer software from the Cisco Networking Academy website. Follow these simple steps:

Visit https://www.netacad.com/.
Sign up or log in if you already have an account.
Navigate to https://www.netacad.com/resources/lab-downloads?courseLang=en-US to download and install the Cisco Packet Tracer for your operating system.

Overview:

An IP address allows devices to communicate over a network. Each device in a network is assigned a unique identifier called an IP address. IP addresses can be classified into two versions:

IPv4: A 32-bit address written in dotted decimal format (e.g., 192.168.1.1).
IPv6: A 128-bit address written in hexadecimal notation separated by colons (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334).

IP addresses are divided into:

Network Address: Identifies the network.
Host Address: Identifies the device within the network.

Subnetting

Subnetting divides a large network into smaller, manageable sub-networks (subnets). This is done by extending the network portion of an IP address using a subnet mask.

Default Subnet Masks:

Class A: 255.0.0.0

Class B: 255.255.0.0

Class C: 255.255.255.0

CIDR (Classless Inter-Domain Routing) is commonly used to represent subnets in the format /n (e.g., 192.168.1.0/24).

Some Useful Commands to remember:

Assigning an IP Address to an Interface:

Router(config)# interface <interface_id>

Router(config-if)# ip address <ip_address> <subnet_mask>

Assigns IPv4 address to the interface.

Router(config-if)# ipv6 address <ip_address>/<prefix length>

Assigns IPv6 address to the interface.

Router(config-if)# no shutdown

Enables/Disables the interface.

Viewing IP Configuration:

Router# show ip interface brief

Displays a summary of IP addresses and interface status.

Router# show running-config

Shows the current configuration, including IP addresses on interfaces.

Testing Connectivity:

Router# ping <ip_address>

Verifies connectivity with a specific IP address.

Router# traceroute <ip_address>

Displays the path packets take to reach the destination.

Overview:

Virtual Local Area Networks (VLANs) and trunking are used to logically segment networks and facilitate communication between these segments.

VLAN (Virtual Local Area Network)
A VLAN is a logical grouping of devices in a LAN (Local Area Network) that are treated as if they are on the same physical network, even if they are spread across different physical devices or locations. VLANs allow network segmentation to improve performance, enhance security, and simplify management.
VLANs Types:
1. Default VLAN: VLAN 1 is used as default VLAN on Cisco switches; used for management traffic by default.
2. Reserved VLANs: VLAN 1001 – 1005 are reserved for various protocols.
3. Other VLANs: Custom VLANs (e.g., VLAN 10, VLAN 20) can be created for user traffic.
Trunking
A trunk is a point-to-point link between network devices (usually switches or routers) that carries traffic for multiple VLANs. Trunking enables inter-VLAN communication across a network.
Trunking Protocols:
ISL: A Cisco proprietary protocol; not used in modern networks.
IEEE 802.1Q: The standard protocol used for VLAN tagging on trunk links. It adds a 4-byte VLAN tag to Ethernet frames to identify the VLAN.
Some Useful Commands to remember:
VLAN Configuration Commands:
Creating and Naming a VLAN:
Switch(config)# vlan <vlan_id>
Switch(config-vlan)# name <vlan_name>
Assigning an Interface to a VLAN:
Switch(config)# interface <interface_id>
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan <vlan_id>
Verifying VLAN Configuration:
Switch# show vlan brief
Trunk Configuration Commands:
Configuring a Trunk Port:
Switch(config)# interface <interface_id>
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan <vlan_id_range>
Setting the Native VLAN (Untagged Traffic):
Switch(config-if)# switchport trunk native vlan <vlan_id>
Verifying Trunk Configuration:
Switch# show interfaces trunk

Overview:

Link Aggregation Control Protocol (LACP) is a standardized protocol (defined in IEEE 802.3ad) that combines multiple physical links into a single logical link to provide redundancy and increase bandwidth. This process is called EtherChannel on Cisco devices.

Modes of LACP
LACP has two modes:
1. Active: Actively initiates LACP negotiations.
2. Passive: Waits for the other side to initiate the negotiation.
Key Rule:
LACP aggregation occurs only when:
- One side is active and the other is active or passive.
- Two passive sides will not form a link aggregation.
Some Useful Commands to remember:
LACP Configuration:

Configuring the Physical Interfaces to form the EtherChannel.
Switch(config)# interface range <f0/1 - 3>
Switch(config-if-range)# channel-group <group_number> mode {active | passive}
Configuring the EtherChannel interface:
Switch(config)# interface port-channel <group number>
Verification and Troubleshooting:
Verify LACP Configuration.
Switch# show etherchannel
View Detailed LACP Information.
Switch# show lacp neighbor
Check EtherChannel Status.
Switch# show interfaces port-channel <channel_number>

Debug LACP Issues.
Switch# debug lacp events

LACP configuration 1

LACP configuration 2

LACP configuration 3

Overview:

Cisco Discovery Protocol (CDP):
CDP is a Cisco proprietary Layer 2 protocol used to share information about directly connected Cisco devices, such as device ID, IP address, port details, and device capabilities.

Link Layer Discovery Protocol (LLDP):
LLDP is a vendor-neutral Layer 2 protocol standardized in IEEE 802.1AB. It is used to discover and advertise information between adjacent devices, such as device type, software version, and management IP.
Modes of Operation:
- CDP: Enabled globally and on interfaces by default on Cisco devices.
- LLDP: Must be enabled explicitly on Cisco devices as it is disabled by default.
Key Rules:
- CDP works only on Cisco devices.
- LLDP allows interoperability between different vendors.
- If CDP or LLDP is disabled globally on a device, it can’t be enabled on a specific interface.
Some Useful Commands to remember:
CDP Configuration:

Enable/Disable CDP globally:
Switch(config)# cdp run
Switch(config)# no cdp run
Enable/Disable CDP on specific interfaces:
Switch(config)# interface <interface_id>
Switch(config-if)# cdp enable
Switch(config-if)# no cdp enable
LLDP Configuration:

Enable/Disable LLDP globally:
Switch(config)# lldp run
Switch(config)# no lldp run
Enable/Disable LLDP on specific interfaces:
Switch(config)# interface <interface_id>
Switch(config-if)# lldp transmit
Switch(config-if)# lldp receive
Switch(config-if)# no lldp transmit
Switch(config-if)# no lldp receive
Verification and Troubleshooting:

Verify CDP Neighbors:
Switch# show cdp neighbors
View Detailed CDP Neighbor Information:
Switch# show cdp neighbors detail
Verify LLDP Neighbors:
Switch# show lldp neighbors
View Detailed CDP Neighbor Information:
Switch# show lldp neighbors detail

CDP and LLDP configuration 1

CDP and LLDP configuration 2

CDP and LLDP configuration 3

Overview:

Static routing is a routing method where routes are manually added to the routing table by an administrator. Static routes provide simple, predictable, and secure routing solutions for small networks.

Key Features:
- Requires manual configuration and management.
- Does not dynamically adapt to network topology changes.
- Suitable for small, stable networks or specific routing paths.
- Has an administrative distance (AD) of 1, making it preferred over dynamic routes.
Default Route:
A default route is a static route that directs packets for unknown destinations. If a destination is not present in a router's routing table, it will forward the traffic through the default route.
Floating static route:
A floating static route is a static route that is configured with an Administrative Distance (AD) higher than the primary route and serves as a backup route. It is only used when the primary route is unavailable.

Some Useful Commands to remember:
Static Route Configuration:

Configure a static route:
Router(config)# ip route <destination_network> <subnet_mask> <next_hop_ip>
Configure a static route with an exit interface:
Router(config)# ip route <destination_network> <subnet_mask> <exit_interface>

Configure a floating static route (with a higher AD for backup purposes):
Router(config)# ip route <destination_network> <subnet_mask> <next_hop_ip> <administrative_distance>
Default Route Configuration:
Router(config)# ip route 0.0.0.0 0.0.0.0 <next_hop_ip>
OR
Router(config)# ip route 0.0.0.0 0.0.0.0 <exit-interface>
Verification and Troubleshooting:

View the Routing Table:
Router# show ip route
Trace the Route to the Destination:
Router# traceroute <destination_ip>
Ping the Destination Network:
Router# ping <destination_ip>
Debug IP Routing Issues:
Router# debug ip routing

Static Routing 1

Static Routing 2

Static Routing 3

Overview:

OSPF is a dynamic routing protocol used in IP networks. It is an open standard protocol defined by RFC 2328 and operates using link-state routing. OSPF calculates the shortest path to each destination using the Dijkstra Shortest Path First (SPF) algorithm.

Characteristics:
- Uses cost as the metric to calculate the shortest path to the destination, which is inversely proportional to bandwidth. Default reference bandwidth: 100 Mbps
  Cost = Reference Bandwidth / Interface Bandwidth
- Requires neighbors to form adjacencies and exchange LSAs (Link-State Advertisements).
- Supports VLSM (Variable Length Subnet Masking) and CIDR (Classless Inter-Domain Routing).
- Has a default administrative distance (AD) of 110.
Key rules for OSPF adjacencies:
- Area ID must be the same on the routers.
- Interfaces must be in the same subnet.
- Router IDs must be unique.
- Hello and Dead timers must match.
- Authentication settings must match.
- IP MTU settings must match.
- OSPF network type must match.
Types of OSPF Networks
1. Broadcast (Default on Ethernet):
- Supports multiple routers on the same subnet.
- Elects a DR (Designated Router) and BDR (Backup Designated Router).
- Hello Interval: 10 seconds, Dead Interval: 40 seconds.
1. Point-to-Multipoint:
- Treats each connection as a point-to-point link.
- Does not elect DR/BDR.
- Hello Interval: 30 seconds, Dead Interval: 120 seconds.
1. Point-to-Point:
- Forms a direct connection between two routers.
- No DR/BDR election.
- Hello Interval: 10 seconds, Dead Interval: 40 seconds.
Useful Commands to remember:
OSPF Configuration:

Enable OSPF and Assign a Process ID:
Router(config)# router ospf <process_id>
Advertise Networks into OSPF:
Router(config-router)# network <network_address> <wildcard_mask> area <area_id>
Configure the OSPF Router ID:
Router(config-router)# router-id <router_id>
Enable OSPF on a specific interface
Router(config)# interface <interface id>
Router(config-if)# ip ospf <process id> area <area_id>
Modify reference bandwidth for higher-speed interfaces:
Router(config-router)# auto-cost reference-bandwidth <value_in_mbps>
Set interface-specific OSPF cost:
Router(config)# interface <interface id>
Router(config-if)# ip ospf cost <value>
Change OSPF Network Type:
Router(config-if)# ip ospf network <network_type>
Prevent OSPF hello packets on specific interfaces:
Router(config-router)# passive-interface <interface_id>
Make all interfaces passive by default:
Router(config-router)# passive-interface default
Change Hello and Dead Timers on an Interface:
Router(config)# interface <interface_id>
Router(config-if)# ip ospf hello-interval <seconds>
Router(config-if)# ip ospf dead-interval <seconds>
Reset OSPF process:
Router# clear ip ospf process
Verification and Troubleshooting:

Check OSPF Neighbors:
Router# show ip ospf neighbor
View OSPF Routing Table:
Router# show ip route ospf
Show all OSPF Interfaces:
Router# show ip ospf interface brief

Show specific OSPF Interface Details:
Router# show ip ospf interface <interface_id>
Verify OSPF Database:
Router# show ip ospf database
Check OSPF Configuration:
Router# show running-config | section ospf
Debug OSPF Issues:
Router# debug ip ospf events
Router# debug ip ospf adj

OSPF Configuration 1

OSPF Configuration 2

OSPF Configuration 3

Overview:

NAT is used to map private IP addresses to public IP addresses to enable devices within a private network to communicate with external networks, such as the internet. NAT conserves IP addresses and provides a layer of security by hiding internal network addresses.

Types of NAT:
1. Static NAT: One-to-one mapping of a private IP address to a public IP address.
2. Dynamic NAT: Maps a private IP address to a public IP address from a pool of addresses.
3. PAT (Port Address Translation): Also known as NAT Overload, it maps multiple private IP addresses to a single public IP address using different ports.
Commands for NAT Configuration:
Static NAT Configuration:

Bind a private IP address (Inside local) to a public IP address (Inside global) :
Router(config)# ip nat inside source static <inside_local_ip> <inside_global_ip>
Configure private network interface as inside interface:
Router(config)# interface <interface_id>
Router(config-if)# ip nat inside
Configure public network interface as outside interface:
Router(config)# interface <interface_id>
Router(config-if)# ip nat outside
Dynamit NAT Configuration:
Define a pool of public IPs:
Router(config)# ip nat pool <pool_name> <start_ip> <end_ip> netmask <subnet_mask>
Define the access list to match internal traffic for translation:
Router(config)# access-list <acl_number> permit <source_network> <wildcard_mask>
Bind the pool to the access list to :
Router(config)# ip nat inside source list <acl_number> pool <pool_name>
PAT (NAT Overload) Configuration:
Configure PAT to translate traffic matching ACL with interface IP:
Router(config)# ip nat inside source list <acl_number> interface <interface_id> overload
Verification and Troubleshooting::
Verify NAT Translations:
Router# show ip nat translations
Network Time Protocol (NTP)
NTP is used to synchronize the clocks of network devices to a reference time source. Accurate time synchronization is critical for logging, security, and troubleshooting.
Stratum:
The stratum defines the hierarchical level of a device in the time synchronization process. It indicates the distance of a device from a primary time source, such as an atomic clock or GPS clock.
Key Points About Stratum:
- The stratum level increases by 1 with each hop from the primary source.
- The maximum allowable stratum level in NTP is 15. Devices with stratum 16 are considered unsynchronized.
- A lower stratum number indicates a more accurate and reliable time source.
Commands for NTP Configuration:
Configure a Device as NTP Server:
Router(config)# ntp master [stratum_number]
Configure a Device as NTP client:
Router(config)# ntp server <server_ip>
Configure a Device as NTP peer:
Router(config)# ntp peer <peer_ip_address>
Set the NTP Source Interface:
Router(config)# ntp source <interface_id>
Verification and Troubleshooting:

Check NTP Associations:
Router# show ntp associations
Check NTP Status:
Router# show ntp status

Debug NTP:
Router# debug ntp events
Router# debug ntp packets

Dynamic NAT Configuration 1

NTP Configuration 1

PAT Configuration 1

Overview:

DHCP is a network protocol that automatically assigns IP addresses, subnet masks, gateways, and other network settings to devices on a network. This simplifies IP address management and reduces manual configuration errors.

DHCP Configuration Components:
1. DHCP Server: Provides IP addresses and network configurations to clients.
2. DHCP Client: Requests and receives an IP address from the DHCP server.
3. DHCP Relay Agent: Forwards DHCP requests between clients and a centralized DHCP server.
Commands for DHCP Configuration:
DHCP Server Configuration Commands:
Define the DHCP pool:
Router(config)# ip dhcp pool <pool_name>
Specify the network and subnet mask for the pool:
Router(dhcp-config)# network <network_address> <subnet_mask>
Specify the default gateway :
Router(dhcp-config)# default-router <gateway_ip>
Specify the DNS server:
Router(dhcp-config)# dns-server <dns_ip>
Specify the domain name:
Router(dhcp-config)# domain-name <domain_name>
Configure Lease Time :
Router(dhcp-config)# lease <days> <hours> <minutes>
Exclude specific IP addresses from being assigned:
Router(config)# ip dhcp excluded-address <start_ip> <end_ip>
Verify and Troubleshoot DHCP Server:

Check the DHCP bindings (leased IPs):
Router# show ip dhcp binding
Check DHCP pool statistics:
Router# show ip dhcp pool
Clear DHCP bindings:
Router# clear ip dhcp binding <ip_address>
DHCP Client and Relay Agent commands:
Configure a DHCP Relay Agent to Forward DHCP requests to a remote DHCP server:
Router(config)# interface <interface_id>
Router(config-if)# ip helper-address <dhcp_server_ip>
Enable a device as a DHCP client (e.g., on a router interface):
Router(config)# interface <interface_id>
Router(config-if)# ip address dhcp
Clear DHCP bindings:
Router# clear ip dhcp binding <ip_address>

DHCP Configuration 1

DHCP Configuration 2

DHCP Configuration 3

Overview:

Remote access allows administrators to manage and monitor devices from a distance. However, it must be secured to prevent unauthorized access. Device security involves securing physical devices, ensuring proper authentication, and protecting sensitive data on network infrastructure.

Remote Access Protocols (SSH and Telnet)
Telnet:
- A protocol for remote device management using plaintext communication.
- Not secure, as credentials and commands are transmitted unencrypted.
- Use only in isolated environments or for troubleshooting purposes.
SSH (Secure Shell):
- Provides secure remote access by encrypting communication.
- Uses TCP port 22 by default.
- Strongly recommended for remote management.
Commands for Remote Access Configuration:

Enter the Virtual Teletype lines (VTY) configuration mode (Range 0-15):
Router(config)# line vty 0 4
OR
Router(config)# line vty 0 15
Configure remote access via only password:
Router(config-line)# password <password>
Router(config-line)# login
Configure a local user for access (Mandatory for SSH):
Router(config)# username <username> privilege <privilege-lvl> password <password>
Router(config-line)# login local
Set an idle timeout for remote sessions:
Router(config-line)# exec-timeout <minutes> <seconds>
Enable telnet on VTY lines:
Router(config-line)# transport input telnet
SSH Configuration Commands:
Enable a Hostname and Domain Name (Mandatory For SSH keys):
Router(config)# hostname <hostname>
Router(config)# ip domain-name <domain_name>
Generate RSA Keys for SSH:
Router(config)# crypto key generate rsa modulus <modulus size in bits>
OR
Router(config)# crypto key generate rsa general-keys modulus <modulus size in bits>
Enable SSH on VTY lines:
Router(config-line)# transport input ssh
Restrict SSH Version to 2:
Router(config)# ip ssh version 2

Verify SSH configuration:
Router# show ip ssh
Commands for Device Security Configuration:
Configure an Enable Password :
Router(config)# enable password <password>
Configure a minimum password length:
Router(config)# security passwords min-length <length>
Encrypt passwords in the configuration file:
Router(config)# service password-encryption
Secure the Console Port via password only:
Router(config)# line console 0
Router(config-line)# password <password>
Router(config-line)# login
Secure the Console Port via a local user:
Router(config)# line console 0
Router(config-line)# login local

Telnet & Local User Config 1

SSH & Local User Config 1

Device Security Sim 1

Overview:

Access Control Lists (ACLs) filter network traffic and control access to network devices and resources. ACLs can permit or deny traffic based on criteria such as source/destination IP, protocols, and port numbers.

Types of ACLs:
1. Standard ACLs:
  - Filter traffic based on the source IP address only.
  - Use numbers 1-99 or 1300-1999 (extended range).
2. Extended ACLs:
  - Filter traffic based on source and destination IP, protocols, and port numbers.
  - Use numbers 100-199 or 2000-2699 (extended range).
3. Named ACLs:
  - Standard or extended ACLs with a descriptive name for easier identification.
Best Practices For ACL Implementation:
1. Place Standard ACLs close to the destination to avoid unnecessarily blocking traffic.
2. Place Extended ACLs close to the source to prevent unwanted traffic from traversing the network.
3. Always end ACLs with an explicit permit or deny:
  - By default, ACLs have an implicit deny all at the end.
4. Use log options to monitor traffic for troubleshooting.
Commands for ACL Configuration:

Standard ACL Commands:

Create a Standard Numbered ACL and add a permit or deny rule:
Router(config)# access-list <1-99 | 1300-1999> {permit | deny} <source_ip> <wildcard_mask>
Create a Standard Named ACL and add a permit or deny rule:
Router(config)# ip access-list standard <acl_name>
Router(config-std-nacl)# {permit | deny} <source_ip> <wildcard_mask>
Extended ACL Commands:
Create an Extended Numbered ACL and add a permit or deny rule:
Router(config)# access-list <100-199 | 2000-2699> {permit | deny} <protocol> <source_ip> <wildcard_mask> <destination_ip> <wildcard_mask> [eq <port_number>]
Create an Extended Named ACL and add a permit or deny rule:
Router(config)# ip access-list extended <acl_name>
Router(config-ext-nacl)# {permit | deny} <protocol> <source_ip> <wildcard_mask> <destination_ip> <wildcard_mask> [eq <port_number>]
Apply Numbered ACL to an Interface:
Router(config)# interface <interface_id>
Router(config-if)# ip access-group <access_list_number> {in | out}
Apply Named ACL to an Interface:
Router(config)# interface <interface_id>
Router(config-if)# ip access-group <acl_name> {in | out}
Verification and Troubleshooting Commands:
View ACL Configuration:
Router# show access-lists
View ACLs Applied to Interfaces:
Router# show ip interface <interface_id>

ACL Config 1

ACL Config 2

ACL Config 3

Overview:

Layer 2 security mechanisms protect the data link layer of the OSI model from various attacks, including spoofing, unauthorized access, and ARP poisoning. Key Layer 2 security features include DHCP Snooping, Port Security, and Dynamic ARP Inspection (DAI).

DHCP Snooping
- DHCP Snooping prevents rogue DHCP servers from assigning IP addresses to devices in the network.
- It works by categorizing ports as trusted (authorized DHCP servers) or untrusted (client ports).
- Filters and drops DHCP packets from untrusted sources.
Commands for DHCP Snooping Configuration:

Enable DHCP Snooping Globally:
Switch(config)# ip dhcp snooping
Enable DHCP Snooping for Specific VLANs:
Switch(config)# ip dhcp snooping vlan <vlan_id>
Configure trusted ports connected to DHCP server:
Switch(config)# interface <interface_id>
Switch(config-if)# ip dhcp snooping trust
Set a Rate Limit on Untrusted Ports:
Switch(config-if)# ip dhcp snooping limit rate <rate>
Check DHCP Snooping Database:
Switch# show ip dhcp snooping
Port Security
- Port Security restricts access to switch ports based on MAC addresses.
- It prevents MAC flooding attacks and unauthorized devices from connecting to the network.
Port Security Violation actions:
- Shutdown: Shuts the port on violation (default).
- Restrict: Drops packets and logs the violation.
- Protect: Drops packets silently.
Commands for Port Security Configuration:

Enable Port Security on a Port:
Switch(config)# interface <interface_id>
Switch(config-if)# switchport port-security
Set the Maximum Number of MAC Addresses allowed:
Switch(config-if)# switchport port-security maximum <number>
Specify Secure MAC Addresses (Static):
Switch(config-if)# switchport port-security mac-address <mac_address>
Specify Secure MAC Addresses (Dynamic):
Switch(config-if)# switchport port-security mac-address sticky
Configure the Violation Action:
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}
Verify Port Security:
Switch# show port-security Switch# show port-security interface <interface_id>
Check Port Security Violations:
Switch# show port-security address
Dynamic ARP Inspection (DAI)
- DAI prevents ARP spoofing by validating ARP packets based on MAC-to-IP bindings.
- Works in conjunction with DHCP Snooping to build a trusted database of IP-to-MAC bindings.
Commands for DAI Configuration:

Enable DAI Globally:
Switch(config)# ip arp inspection vlan <vlan_id>
Configure Trusted Ports:
Switch(config)# interface <interface_id>
Switch(config-if)# ip arp inspection trust
Set DAI Rate Limiting on Untrusted Ports:
Switch(config)# interface <interface_id>
Switch(config-if)# ip arp inspection limit rate <rate>
Verify DAI Configuration:
Switch# show ip arp inspection
Verify DAI Statistics:
Switch# show ip arp inspection statistics