DHCP Spoofing Questions Flashcards
What are three required steps to configure DHCP snooping on a switch? (Choose three)
A. Configure the switch to insert and remove DHCP relay information (option-82 field) in forwarded DHCP request messages.
B. Configure DHCP snooping globally.
C. Configure the switch as a DHCP sewer.
D. Configure DHCP snooping on an interface.
E. Configure all interfaces as DHCP snooping trusted interfaces.
F. Configure DHCP snooping on a VLAN or range of VLANs.
Answer: B D F
Explanation
To configure DHCP snooping feature, at least three steps must be done:
Sequence and Description Command
1. Configure global DHCP snooping Switch(config)# ip dhcp snooping
2. Configure trusted ports (as least on 1 port).
By default, all ports are untrusted Switch(config-if)# ip dhcp snooping trust
3. Configure DHCP snooping for the selected VLANs Switch(config)# ip dhcp snooping vlan {VLAN-ID | VLAN range}
Other steps are just optional:
+ Configure DHCP Option 82
Switch(config)# ip dhcp snooping information option
+ Configure the number of DHCP packets per second (pps) that are acceptable on the port:
Switch(config-if)# ip dhcp snooping limit rate {rate}
Reference: SWITCH Student Guide
Refer to the exhibit. What type of attack is being defended against?
show_ip_dhcp_snooping.jpg
A. Snooping attack
B. Rogue device attack
C. STP attack
D. VLAN attack
E. Spoofing attack
F. MAC flooding attack
Answer: E
Explanation
DHCP snooping is a method used to defend DHCP spoofing.
An attacker is launching a DoS attack with a public domain hacking tool that is used to exhaust the IP address space available from the DHCP servers for a period of time. Which procedure would best defend against this type of attack?
A. Configure only trusted interfaces with root guard.
B. Implement private VLANs (PVLANs) to carry only user traffic.
C. Implement private VLANs (PVLANs) to carry only DHCP traffic.
D. Configure only untrusted interfaces with root guard.
E. Configure DHCP spoofing on all ports that connect untrusted clients.
F. Configure DHCP snooping only on ports that connect trusted DHCP servers.
Answer: F
Explanation
To defend DHCP spoofing attack, we only need to configure DHCP snooping on trusted interfaces because other ports are classified as untrusted ports by default.
Refer to the exhibit. DHCP snooping is enabled for selected VLANs to provide security on the network. How do the switch ports handle the DHCP messages?
show_ip_dhcp_snooping_2.jpg
A. Ports Fa2/1 and Fa2/2 source DHCP requests only. Port Fa3/1 is eligible to source all DHCP messages and respond to DHCP requests.
B. Ports Fa2/1 and Fa2/2 respond to DHCP requests only. Port Fa3/1 is eligible to source all DHCP messages.
C. Ports Fa2/1 and Fa2/2 are eligible to source all DHCP messages and respond to DHCP requests. Port Fa3/1 can source DHCP requests only.
D. All three ports, Fa2/1, Fa2/2, and Fa3/1, are eligible to source all DHCP messages and respond to DHCP requests.
Answer: C
Explanation
Trusted ports are allowed to send all types of DHCP messages. Untrusted ports can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down. In this case, Fa2/1 & Fa2/2 are trusted (can send all types of DHCP messages) while Fa3/1 is untrusted (can only send DHCP requests).
Refer to the exhibit. An attacker is connected to interface Fa0/11 on switch A-SW2 and attempts to establish a DHCP server for a man-in-middle attack. Which recommendation, if followed, would mitigate this type of attack?
DHCP_Spoofing_untrusted_port.jpg
A. All switch ports in the Building Access block should be configured as DHCP untrusted ports.
B. All switch ports in the Building Access block should be configured as DHCP trusted ports.
C. All switch ports connecting to servers in the Server Farm block should be configured as DHCP untrusted ports.
D. All switch ports connecting to hosts in the Building Access block should be configured as DHCP trusted ports.
E. All switch ports in the Server Farm block should be configured as DHCP untrusted ports.
F. All switch ports connecting to hosts in the Building Access block should be configured as DHCP untrusted ports.
Answer: F
Explanation
All switch ports connecting to hosts should only send DHCP Requests and they are the ports that can be easily accessed by an attacker -> They should be configured as DHCP untrusted ports.
