DHCP Snooping

Question 1

What is DHCP Snooping?

Answer 1

DHCP Snooping only allows DHCP exchanges to take place across certain trusted ports, and prevents rogue DHCP servers.

DHCP Snooping prevents a malicious actor from pretending to be the DHCP server.

Question 2

What is the default port state once DHCP snooping is enabled?

Answer 2

By default, all ports are considered un-trusted.

Question 3

What is the default action for DHCP snooping violations?

Answer 3

The offending port will be placed into err-disabled mode.

Question 4

What are the three steps in configuring DHCP snooping?

Answer 4

1.Enable DHCP snooping globally. 2.Enable which VLANs DHCP snooping will enforce. 3.Specify your trusted ports.

Question 5

What is the DHCP snooping validity check?

Answer 5

All DHCP discover/request packets will have the option 82 value replaced with the switch’s own value. If this value does not match on the DHCP replies, the packets are dropped.

Question 6

What is rate limiting?

Answer 6

Rate limiting sets how many DHCP packets are allowed across a trusted port per second.

Question 7

What is DHCP snooping necessary for?

Answer 7

Dynamic arp inspection and IP source guard.

Question 8

What are three required steps to configure DHCP snooping on a switch? (Choose three)

A. Configure the switch to insert and remove DHCP relay information (option-82 field) in forwarded DHCP request messages.
B. Configure DHCP snooping globally.
C. Configure the switch as a DHCP sewer.
D. Configure DHCP snooping on an interface.
E. Configure all interfaces as DHCP snooping trusted interfaces.
F. Configure DHCP snooping on a VLAN or range of VLANs.

Answer 8

Answer: B D F

Explanation

To configure DHCP snooping feature, at least three steps must be done:

Sequence and Description Command
1. Configure global DHCP snooping Switch(config)# ip dhcp snooping
2. Configure trusted ports (as least on 1 port).
By default, all ports are untrusted Switch(config-if)# ip dhcp snooping trust
3. Configure DHCP snooping for the selected VLANs Switch(config)# ip dhcp snooping vlan {VLAN-ID | VLAN range}
Other steps are just optional:

+ Configure DHCP Option 82
Switch(config)# ip dhcp snooping information option

+ Configure the number of DHCP packets per second (pps) that are acceptable on the port:
Switch(config-if)# ip dhcp snooping limit rate {rate}

Reference: SWITCH Student Guide

Question 9

Refer to the exhibit. What type of attack is being defended against?

show_ip_dhcp_snooping.jpg

A. Snooping attack
B. Rogue device attack
C. STP attack
D. VLAN attack
E. Spoofing attack
F. MAC flooding attack

Answer 9

Answer: E

Explanation

DHCP snooping is a method used to defend DHCP spoofing.

Question 11

Refer to the exhibit. DHCP snooping is enabled for selected VLANs to provide security on the network. How do the switch ports handle the DHCP messages?

show_ip_dhcp_snooping_2.jpg

A. Ports Fa2/1 and Fa2/2 source DHCP requests only. Port Fa3/1 is eligible to source all DHCP messages and respond to DHCP requests.
B. Ports Fa2/1 and Fa2/2 respond to DHCP requests only. Port Fa3/1 is eligible to source all DHCP messages.
C. Ports Fa2/1 and Fa2/2 are eligible to source all DHCP messages and respond to DHCP requests. Port Fa3/1 can source DHCP requests only.
D. All three ports, Fa2/1, Fa2/2, and Fa3/1, are eligible to source all DHCP messages and respond to DHCP requests.

Answer 11

Answer: C

Explanation

Trusted ports are allowed to send all types of DHCP messages. Untrusted ports can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down. In this case, Fa2/1 & Fa2/2 are trusted (can send all types of DHCP messages) while Fa3/1 is untrusted (can only send DHCP requests).

Question 12

Refer to the exhibit. An attacker is connected to interface Fa0/11 on switch A-SW2 and attempts to establish a DHCP server for a man-in-middle attack. Which recommendation, if followed, would mitigate this type of attack?

DHCP_Spoofing_untrusted_port.jpg

A. All switch ports in the Building Access block should be configured as DHCP untrusted ports.
B. All switch ports in the Building Access block should be configured as DHCP trusted ports.
C. All switch ports connecting to servers in the Server Farm block should be configured as DHCP untrusted ports.
D. All switch ports connecting to hosts in the Building Access block should be configured as DHCP trusted ports.
E. All switch ports in the Server Farm block should be configured as DHCP untrusted ports.
F. All switch ports connecting to hosts in the Building Access block should be configured as DHCP untrusted ports.

Answer 12

Answer: F

Explanation

All switch ports connecting to hosts should only send DHCP Requests and they are the ports that can be easily accessed by an attacker -> They should be configured as DHCP untrusted ports.

Question 13

An attacker is launching a DoS attack with a public domain hacking tool that is used to exhaust the IP address space available from the DHCP servers for a period of time. Which procedure would best defend against this type of attack?

A. Configure only trusted interfaces with root guard.
B. Implement private VLANs (PVLANs) to carry only user traffic.
C. Implement private VLANs (PVLANs) to carry only DHCP traffic.
D. Configure only untrusted interfaces with root guard.
E. Configure DHCP spoofing on all ports that connect untrusted clients.
F. Configure DHCP snooping only on ports that connect trusted DHCP servers.

Answer 13

Answer: F

Explanation

To defend DHCP spoofing attack, we only need to configure DHCP snooping on trusted interfaces because other ports are classified as untrusted ports by default.

Question 14

What is an untrusted port under dhcp snooping?

Answer 14

any dhcp reply coming from an untrusted port is discarded and the offending port is put in errdisable

Question 15

A Cisco Catalyst switch that is prone to reboots continues to rebuild the DHCP snooping database. What is the solution to avoid the snooping database from being rebuilt after every device reboot?

Answer 15

A DHCP snooping database agent should be configured.

Question 16

A server with a statically assigned IP address is attached to a switch that is provisioned for DHCP snooping. For more protection against malicious attacks, the network team is considering enabling dynamic ARP inspection alongside DHCP snooping. Which solution ensures that the server maintains network reachability in the future?

Answer 16

ip dhcp snooping binding vlan interface expiry

Configure a static DHCP snooping binding entry on the switch.

Question 17

DHCP snooping and IP Source Guard have been configured on a switch that connects to several client workstations. The IP address of one of the workstations does not match any entries found in the DHCP binding database. Which statement describes the outcome of this scenario?

Answer 17

he packets originating from the workstation are assumed to be spoofed and will be discarded.

Question 18

A DHCP configured router is connected directly to a switch that has been provisioned with DHCP snooping. IP Source Guard with the ip verify source port-security command is configured under the interfaces that connect to all DHCP clients on the switch. However, clients are not receiving an IP address via the DHCP server.
Which option is the cause of this issue?

Answer 18

The DHCP server does not support information option 82

Question 19

A switch is added into the production network to increase port capacity. A network engineer is configuring the switch for DHCP snooping and IP Source Guard, but is unable to configure ip verify source under several of the interfaces. Which option is the cause of the problem?

Answer 19

The interfaces are configured as Layer 3 using the no switchport command.

The following restrictions apply to IP source guard:
+ Supported only on ingress Layer 2 ports (including access and trunk ports)
+ Supported only in hardware; not applied to any traffic that is processed in software.
+ Does not support filtering of traffic based on MAC address.
+ Is not supported on private VLANs.

Question 20

Which type of information does the DHCP snooping binding database contain?

Answer 20

untrusted hosts with leased IP addresses

Question 21

Which command is needed to enable DHCP snooping if a switchport is connected to a DHCP server?

Answer 21

ip dhcp snooping trust

Question 22

Which database is used to determine the validity of an ARP packet based on a valid IP-to-MAC address binding?

Answer 22

DHCP snooping database

Question 23

What is an untrusted port in *DHCP Snooping*?

Answer 23

An untrusted port in DHCP Snooping are ports that are unable to respond to DHCP requests. This is enabled on all ports by default.

Question 24

What is a trusted port in *DHCP Snooping*?

Answer 24

A trusted port is allowed to respond to dhcp requests and must be manually configured.

Question 25

What is the *DHCP Snooping Binding Database*?

Answer 25

The DHCP Snooping Binding Database tracks DHCP requests and also tracks information about the client’s received address, MAC, and lease time. Other security features rely on DHCP Snooping Binding Database to operate.

Question 26

Why is DHCP Snooping only designed to be run on access layer switches?

Answer 26

The reason why DHCP Snooping is only designed to run on access layer switches is due to the GiAddr field. When DHCP Relay is used, the GiAddr field is set to a non-zero value, which would ultimate fail the DHCP Snooping checks and kill the request entirely even if it is from a trusted port. This is why having DHCP upstream is not a good idea.

Question 27

What configuration command rate limits messages in *DHCP Snooping*?

Answer 27

Sw1(config-if)# ip dhcp snooping limit rate <1 - 2048>

Question 28

What configuration command enables a trusted port in *DHCP Snooping*?

Answer 28

Sw1(config-if)# ip dhcp snooping trust

Question 29

What useful show commands displays information about *DHCP Snooping*?

Answer 29

Sw1# show ip dhcp snooping

Sw1# show ip dhcp binding

Question 31

What configuration command enables *DHCP Snooping*?

Answer 31

Sw1(config)# ip dhcp snooping

Sw1(config)# ip dhcp snooping vlan <vlan-id></vlan-id>