O'Reilly logo
live online training icon Live Online training

CCNA 200-301 Deep Dive: DHCP, DHCP Snooping, and DAI

Prepare for the new CCNA 200-301 through lecture and hands-on labs

Topic: System Administration
Wendell Odom

The Cisco Certified Network Associate (CCNA) certification creates a de facto standard defining the essential knowledge required for anyone working with computer networks. Cisco completely revamped its entire certification program for 2020, with CCNA taking an even more critical role. Cisco places CCNA as the one starting point for all other Cisco certifications. Anyone pursuing a career in networking should be prepared to work with Cisco, and that process begins with CCNA.

This course uses a series of short, targeted lectures followed by lab exercises that you do in class using the (free) Cisco Packet Tracer simulator. New to Cisco? Anyone can do the labs, with one lab exercise version created for those with little background knowledge, and another for those with appropriate prerequisite skills. The flow works through a series of paired lectures and labs and closes with a short topic of advice about how to learn more and complete your exam preparation for this course’s topics.

You must have Version 7.3 (or later ) of Cisco Packet Tracer installed and confirmed to be working before class begins. Earlier versions do not work for the in-class labs. Refer to the instructions at this page for more detail.

Dynamic Host Configuration Protocol (DHCP) plays the vital role of helping IP hosts dynamically learn an IP address to use, with almost every network using DHCP. Additionally, all TCP/IP networks use Address Resolution Protocol (ARP). Due to their popularity, outsiders have created a variety of attacks to take advantage of DHCP and ARP. In this course, you will learn about DHCP and ARP fundamentals and then learn about two tools that secure these protocols: DHCP Snooping and Dynamic ARP Inspection (DAI).

What you'll learn-and how you can apply it

  • How hosts dynamically learn an IPv4 address to use – along with other related facts – rather than requiring static address configuration
  • The DHCP protocol mechanisms used between DHCP clients and servers, which then requires the configuration of the DHCP Relay Agent feature to support those messages
  • An understanding of how a layer 2 switch is well-positioned to examine DHCP messages and collect facts that can later be used by DHCP Snooping to prevent some kinds of DHCP-based attacks
  • An understanding of IP Address Resolution Protocol (ARP)
  • Understand how a layer 2 switch that uses DHCP Snooping can add the logic of Dynamic ARP Inspection (DAI) to help prevent some types of ARP-based attacks
  • Learn to configure and verify both DHCP Snooping and DAI

This training course is for you because...

You want to achieve Cisco CCNA certification - You want to learn networking basics, specifically DHCP, DHCP Snooping, and DAI, for your job and the exam - You want to pursue one of the Cisco CCNP certifications, and you need to know CCNA topics as a prerequisite - You prefer lab-centric learning


  • An understanding of Ethernet LAN switching and VLANs. You can learn these topics from Chapters 5 through 8 of the CCNA 200-301 Official Cert Guide, Volume 1. Alternately, attend the “CCNA 200-301 Deep Dive: VLANs, Trunking, and LAN Switching” Live course. Both are available at O’Reilly Online Learning.
  • An understanding of IP Version 4 (IPv4) addressing and subnetting, which can be learned from Chapters 11 through 14 of the CCNA 200-301 Official Cert Guide, Volume 1. However, you do not need to be ready to do subnetting math without a calculator.
  • A basic understanding of IP routing and IP ARP, both of which you can learn from the first half of Chapter 16 of the CCNA 200-301 Official Cert Guide, Volume 1.

Additionally, you can learn in this course without the following skills, but coming to course with these skills can increase how much you learn:

  • Have Cisco device CLI navigation skills. You can learn these skills in the course “CCNA 200-301 Deep Dive: Cisco CLI and Cisco Packet Tracer”, or by reading Chapter 4 of the CCNA 200-301 Official Cert Guide, Volume 1. Both are available at O’Reilly Online Learning.

Materials, downloads, or Supplemental Content needed in advance

  • The CCNA Deep Dive courses here at O’Reilly require you to use Cisco Packet Tracer, specifically version 7.3. The in-class labs do not work with earlier versions of Cisco Packet Tracer. Follow this link for the specifics to find, install, and test your Packet Tracer installation.

Recommended Follow-up

  • Read about switch port security, a related switch-based security topic: Chapter 5, “Implementing Switch Port Security” in the CCNA 200-301 Official Cert Guide, Volume 2 (available on O’Reilly Online)
  • Attend the O’Reilly Online course “CCNA 200-301 Deep Dive: NAT, NTP, and CDP/LLDP”.
  • Attend any of the CCNA 200-301 Deep Dive series of courses here at O’Reilly Online.

About your instructor

  • Wendell Odom, CCIE No. 1624, creates many of the best-selling Cisco certification products of their types, particular in the routing and switching space. He has pioneered the authorized Cisco Certification Guide series at Cisco Press and has written every edition of the leading CCENT and CCNA Certification Guides. He has written over 30 editions of networking books, video, and software products, ranging in depth from introductory level to CCIE. Wendell has worked as an instructor, course developer, network engineer, and consultant. Find links to more study tools and resources (including his blogs) at www.certskills.com.


The timeframes are only estimates and may vary according to how the class is progressing

Section 1: Introduction (10 Minutes)

  • CCNA 200-301 Exam Overview and Exam Topics in this Course
  • Verify Packet Tracer Installation
  • Deep Dive Course Series

Section 2: Dynamic Host Configuration Protocol (DHCP) (70 Minutes)

  • DHCP from a Host Perspective
  • IOS DHCP Relay Agent
  • Lab 1: Configure and Verify IOS DHCP Relay Agent

Section 3: DHCP Snooping (70 Minutes)

  • DHCP Security Risks
  • DHCP Snooping Features and Configuration
  • Lab 2: Configure and Verify DHCP Snooping


Section 4: Dynamic ARP Inspection (DAI) (70 Minutes)

  • IP ARP Security Risks
  • DAI Features and Configuration
  • Lab 3: Understand ARP and Enable DAI

Section 5: Exam Advice and Final QA (10 Minutes)

  • What and Where to Learn More about DHCP, DHCP Snooping, and DAI
  • Exam Advice about Today’s Topics