Volume 2 - Chapter 12: DHCP Snooping and ARP Inspection

Question 1

In regards to DHCP snooping, which of the following types of devices are most likely to have their connected ports configured as “trusted”?
* Hosts
* Routers
* Switches
* DHCP Servers
* Access Points

Answer 1

Hosts, routers, and DHCP servers

Question 2

Describe the function of the untrusted port type in regards to DHCP snooping.

Answer 2

The untrusted port will discard DHCP messages that would normally only be sent by servers (Offer & Ack.)

The untrusted port will forward DHCP client messages (Discover & Request), but may filter them if they are part of an attack.

Question 3

Describe how DHCP is used in a man-in-the-middle attack.

Answer 3

The attacker will configure a DHCP server on their machine and offer the default gateway option as its own IP address. The attacker can then snoop the traffic before passing it along the network.

Question 4

Describe how untrusted ports filter DHCP traffic for client messages

Answer 4

1. For DISCOVER and REQUEST messages: compare the source MAC of the frame with the hardware address (chaddr) field in the DHCP message
2. For RELEASE & DECLINE messages: compare the source port of the incoming RELEASE/DECLINE with the DHCP Snooping binding table

Question 5

A switch is configured with DHCP snooping and a connected host makes a successful DHCP request to a trusted server.

What happens after the host receives the new IP address?

Answer 5

The switch will add a new binding in the DHCP snooping binding table.

Question 6

What information is stored for each entry in the DHCP snooping binding table?

Answer 6

Each entry will contain the following:
* The source port of the host with the IP address
* The source VLAN of the host
* The IP address that was assigned to the host
* The MAC address of the host

Question 7

What commands are required at a minimum to enable the use of DHCP snooping?

Answer 7

DHCP snooping must be enabled globally and for the specific VLANs for it to function:
* ip dhcp snooping
* ip dhcp snooping vlan XX

Question 8

What command can be used to list the enabled/disabled state of DHCP snooping and the VLANs that it is currently enabled on?

Answer 8

show ip dhcp snooping

Question 9

What additional option is added to DHCP requests when a request is forwarded to an external DHCP server by a relay agent?

Answer 9

Option 82

Question 10

A switch enabled with DHCP snooping, but does not act as a DHCP relay.

What command is required on the switch to prevent it from blocking valid DHCP client requests?

Answer 10

no ip dhcp snooping information option

Question 11

What command can be enabled to restrict the amount of DHCP messages being processed by DHCP snooping on the switch?

Answer 11

DHCP Snooping Rate Limits:

ip dhcp snooping limit rate messagespersecond

Question 12

Describe what happens when the DHCP snooping limit rate is exceeded?

Answer 12

The switch will put the interface configured with the limit rate into an err-disable state.

Question 13

What command(s) are required to enable the automatic recovery of a port put into err-disable due to exceeding the DHCP snooping rate limit?

Answer 13

errdisable recovery cause dhcp-rate-limit
errdisable recovery interval seconds

Question 14

What 4 main fields are included in a typical ARP request?

Answer 14

Sender Hardware Address
Sender Protocol (IP) Address
Target Hardware Address
Target Protocol (IP) Address

Question 15

An ARP reply that is sent to a host without first having received an ARP request is refered to as?

Answer 15

A gratuitous ARP

Question 16

Describe the function of a gratuitous ARP.

Answer 16

The grauitous ARP uses a destination broadcast address to notify all hosts on the network that its MAC has changed.

Question 17

Describe how an attacker uses gratuitous ARP messages to compromise a host.

Answer 17

An attacker can use gratuitous ARPs as part of a man-in-the-middle attack:

1. The attacker sends a gratuitous ARP with its MAC as the desination for IP address x.x.x.x
2. When hosts try to communicate with x.x.x.x, the message is sent to the MAC address of the attacker
3. The attacker then copies these messages, before forwarding them to the actual intended recipient

Question 18

Describe how Dynamic ARP Inspection uses the DHCP snooping binding table.

Answer 18

By comparing the source MAC and IP to the valid bindings in the table for any untrusted port. If they do not match, the packet is discarded.

Question 19

True or False:

Dynamic ARP inspection can only be used with DHCP-enabled hosts.

Answer 19

False; hosts configured with static IP addresses can also benefit from DAI. Static ARP ACLs can be configured on the switch to filter these messages the same as DHCP hosts.

Question 20

Describe what checks are performed by Dynamic ARP inspection.

Answer 20

• Compare the source MAC in the Ethernet header with the sender MAC in the ARP message
• Compare the destination MAC in the Ethernet header with the target MAC in the ARP message
• Check for unexpected IPs in the two ARP fields

Question 21

What command is used to enable the use of Dynamic ARP inspection for a VLAN?

Answer 21

In global mode:

ip arp inspection vlan xx

Question 22

A technician enables the use of DAI with the following configuration:

ip arp inspection vlan 11
!
interface GigabitEthernet1/0/2
ip arp inspection trust

What is the problem with the way this configuration is setup?

Answer 22

Neither DHCP snooping or ARP ACLs are configured. As such, all untrusted ports will drop any ARP requests even if they are valid.

Either DHCP snooping or static ARP ACLs must be configured at a minimum to support functional DAI

Question 23

A technician wants to configure the following on a switch that does not have a DHCP relay configured:
* DHCP snooping on VLAN 50
* Dynamic ARP inspection on VLAN 50
* Interface Gi1/0/10 as trusted for DHCP snooping
* Interface Gi1/0/10 as trusted for DAI

What commands must be configured to support this?

Answer 23

ip arp inspection vlan 50
ip dhcp snooping
ip dhcp snooping vlan 50
no ip dhcp snooping information option
!
interface GigabitEthernet1/0/1
ip arp inspection trust
ip dhcp snooping trust

Question 24

What command can be used to show the current statistics for DAI?

Answer 24

show ip arp inspection

or

show ip arp inspection statistics

Question 25

What command can be used to enable restricting the amount of ARP requests for an interface?

Answer 25

ip arp inspection limit rate numberofmessages

or

ip arp inspection limit rate numberofmessages burst interval numberofseconds

Question 26

What is the default burst rate for DAI if a burst rate is not specified?

Answer 26

1 second.

Question 27

Describe how limit rates differ with DAI versus DHCP snooping by default?

Answer 27

DAI defaults to use rate limits for all interfaces (trusted and untrusted) by default. DHCP snooping does not enable limit rates by default.

DAI allows a burst rate (per x seconds) to be configured, whereas DHCP does not.

Question 28

What is the command to enable the use of automatic err-disable recovery for ARP-inpection?

Answer 28

errdisable recovery cause arp-inspection

Question 29

What is the default interface rate limit for Dynamic ARP Inspection by default?

Answer 29

15 messages over a 1 second burst.

Question 30

What DAI check is always performed when DAI is enabled?

Answer 30

Sender MAC and Sender IP

Question 31

What commands can be used to enable the following optional checks for DAI?
* Source MAC
* Destination MAC
* IP addresses

Answer 31

ip arp inspection validate src-mac
ip arp inspection validate dst-mac
ip arp inspection validate ip

Question 32

What command can be used to disable DAI rate limits?

Answer 32

ip arp inspection rate limit none