Home > DHCP Snooping

DHCP Snooping

September 4th, 2017 in SWITCH 300-115 Go to comments

Quick review of DHCP Spoofing:

DHCP_Spoofing_Attack.jpg

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

DHCP_Spoofing_Attack_Trust_Untrust_Ports.jpg

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

Question 1

Explanation

To retain the bindings across switch reloads, you must use the DHCP snooping database agent. Without this agent, the bindings established by DHCP snooping are lost upon switch reload. Connectivity is lost as well.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dhcp.html#wp1090370

Question 2

Explanation

Static DHCP snooping binding defines a mapping between a fixed IP address and the client’s MAC address. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host. This is how to configure a static DHCP snooping binding entry:

Switch#ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface expiry seconds

Question 3

Explanation

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

Therefore if the switch receives a packet that does not match any entries found in the DHCP binding database, that packet is assumed to be spoofed and will be discarded.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html

Question 4

Explanation

The command “ip verify source port-security” enables IP source guard with source IP and MAC address filtering. When using this command, there are two caveats:
+ The DHCP server must support option 82, or the client is not assigned an IP address.
+ The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swdhcp82.html

Question 5

Explanation

The following restrictions apply to IP source guard:
+ Supported only on ingress Layer 2 ports (including access and trunk ports)
+ Supported only in hardware; not applied to any traffic that is processed in software.
+ Does not support filtering of traffic based on MAC address.
+ Is not supported on private VLANs.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/ip_source_guard.pdf

Question 6

Explanation

The DHCP snooping binding database contains information about untrusted hosts with leased IP addresses. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, the VLAN number and interface information associated with the host.

Question 7

Explanation

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

Question 8

Explanation

DHCP snooping database contains MAC address-to-IP address bindings which Dynamic ARP Inspection (DAI) uses to determine the validity of an ARP packet.

Question 9

Explanation

When IP Source Guard with source IP filtering is enabled on an untrusted interface, DHCP snooping must be enabled because it filters traffic based on IP information stored in the corresponding DHCP binding table entry.

Question 10

Explanation

The function of DAI is:

+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
+ Drops invalid ARP packets

On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source Protocol and Source Hardware address values against the snooping table database for that port.
If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which differs from what was given by the DHCP server.

Comments
Comment pages
1 2 761
  1. rava
    November 20th, 2016

    Q11
    At least 8000 bindings can be stored on DHCP snooping database with Releases after 12.2(18)SXF5.

  2. AXX
    December 22nd, 2016

    Q11 – minimum is not equal to: 1) can store, 2) at least, or 3) up to

    Guidelines and Limitations
    DHCP snooping has the following configuration guidelines and limitations:

    •The DHCP snooping database can store 2000 bindings.

    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_dhcpsnoop.html

    DHCP Snooping Configuration Restrictions

    • With releases earlier than Release 12.2(18)SXF5, the DHCP snooping database stores a maximum of 512 bindings. If the database attempts to add more than 512 DHCP bindings, all bindings are removed from the database.

    • With Release 12.2(18)SXF5 and later releases, the DHCP snooping database stores at least 8,000 bindings.

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/snoodhcp.pdf

    DHCP Snooping Binding Database
    When DHCP snooping is enabled, the switch uses the DHCP snooping binding database to store information about untrusted interfaces. The database can have up to 8192 bindings.

    http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3s/asr903/dhcp-xe-3s-asr903-book/dhcp-features.html

    DHCP Snooping Configuration Restrictions
    • The DHCP snooping database stores at least 12,000 bindings

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/dhcp_snooping.pdf

  3. shrek
    December 23rd, 2016

    in Q7 it ask “Which command is needed to enable DHCP snooping …” not “which command is needed to configure a port as a trusted port” so the answer should be “ip dhcp snooping” not “ip dhcp snooping trust” right? please correct me if i’m wrong.
    thnk u in advance

  4. Jake
    December 27th, 2016

    Q7 is correct because the last part of the question specifies it “if a switchport is connected to a DHCP server”. The questions is asking about port configuration not global.

  5. noman
    January 11th, 2017

    Which option is the minimum number of bindings that the DHCP snooping databas can store???

    2000
    8000

  6. Anonymous
    January 11th, 2017

    8000 binding

  7. Digit-All
    May 21st, 2017

    Shrek “ip dhcp snooping trust” is specific to an interface connected to dhcp server while “ip dhcp snooping” is a global command. So, answer is correct.

  8. abrakapokus
    July 3rd, 2017

    I don’t get Q10, if it is the one I think it is.
    There is a trusted server and iit says we have to Configure the static DHCP snooping binding entry. Isn’t DHCP snooping database made for untrusted hosts??

  9. abrakapokus
    July 3rd, 2017

    Untrusted interfaces, sorry, I think I got it.

  10. anyone
    July 3rd, 2017

    @abrakaokus, Q10 is “Which switch feature determines validity based on IP-to-MAC address bindings that are stored in a trusted database?” Answer is A – Dynamic ARP Inspection (DAI)

    When DHCP snooping is enabled, switch ports are categorized as trusted or untrusted. Legitimate DHCP servers can be found on trusted ports, whereas all other hosts sit behind untrusted ports. The DHCP snooping feature just cares about if the reply is coming from a trusted port or not when making decisions.

    Dynamic ARP Inspection (DIA) utilizes the DHCP snooping database specifically the IP-to-MAC address bindings when making decisions but since the database would not have entries for addresses that were configured statically (not assigned by DHCP), you would need to configure an ARP access list that defines static MAC-IP address bindings that are permitted.

    Does this help?

  11. abrakapokus
    July 3rd, 2017

    Thank you a lot for the prompt reply.
    It does help a lot, although I was refering to another question. But now I see the explanation is the same. :)
    The question was: “A server with a statically assigned IP address is attached to a switch that is provisioned for DHCP
    snooping. For more protection against malicious attacks, the network team is considering enabling
    dynamic ARP inspection alongside DHCP snooping. Which solution ensures that the server
    maintains network reachability in the future?”
    with the correct answer being: “Configure a static DHCP snooping binding entry on the switch.”

    I was having some concerns about entries in DHCP snooping binding database but with this and a bit more investigating I believe I resolved them all.
    Thank you!

  12. varv
    July 9th, 2017

    Hello Everyone!

    I have CCNP Switch 300-115 exam in 2 days. Can you guys please provide me Updated Dumps?

    My email ID: venkatesh1593 at gmail dot com

    Thanks a lot!

  13. CCNP boy
    August 7th, 2017

    Are the Qs still valid to pass this exam ? or is there a lot of new Qs ?

  14. Mago
    November 15th, 2017

    Please, does anyone know what Q13 can be talking about?

  15. Marcus
    December 10th, 2017

    @Mago, I guess this question (Q13) is talking about relaying DHCP packets which occurs when relay agent catches DHCP Discovery or DHCP Request broadcast packet on L2 and then send it directly to DHCP-server on L3. Option 82 inserted by DHCP relay agent during relaying process.

  16. Anon6
    December 21st, 2017

    Question 11: Which option is the minimum number of bindings that the DHCP snooping database can store?

    If it can store 8,000, then it can also store a minimum of 1,000. Correct? It can also store a minimum of 1. The question is written incorrectly by Cisco. All of the docs written by Cisco use the term ‘at least’, and the number varies depending on the version of IOS. It says 8,000 and 12,000 as a minimum. Due to faulty logic, 8,000 is correct.

  17. nano-baro
    January 3rd, 2018

    (10) QUESTION 31
    Which type of packet does DHCP snooping continuously check in a production network?
    (What kind of packets is DHCP snooping continuously check in a production network? – contributed in Certprepare)
    A. DHCP Snooping
    B. DHCP Relay
    C. DHCP Request
    D. DHCP Acknowledge
    E. DHCP Reply
    F. DHCP Allow
    Correct Answer: A

    could anyone explain this new question

  18. no nicknam
    January 10th, 2018

    (10) QUESTION 31
    Which type of packet does DHCP snooping continuously check in a production network?
    (What kind of packets is DHCP snooping continuously check in a production network? – contributed in Certprepare)
    A. DHCP Snooping
    B. DHCP Relay
    C. DHCP Request
    D. DHCP Acknowledge
    E. DHCP Reply
    F. DHCP Allow
    Correct Answer: A

    could anyone explain this new question

    Already contributed on (share your ccnp knowledge)he said ACK which not wrong but I would say reply cause it goes before ack

  19. sandor
    January 24th, 2018

    DHCP Snooping performs the following checks:

    If a DHCP server message is received on an untrusted port (OFFER, ACK, NAK, LEASEQUERY), it is dropped.
    This prevents unauthorized DHCP servers from sending packets into the network.
    If a DHCP client message (DISCOVER, REQUEST, DECLINE, INFORM, RELEASE) is received on an untrusted port and the source MAC address of the frame does not match the chaddr (client hardware address) field inside the message body, it is dropped.
    This prevents a client from sending messages claiming a different MAC address than the one truly owned by the client.
    If a DHCP RELEASE or DECLINE message is received on an untrusted port but the information about the client (its MAC address, IP address, VLAN, port) are recorded in the DHCP Snooping binding database for a different port, the message is dropped.
    This prevents a client from impersonating another client and telling the DHCP server that the IP address of the other client is either being returned (RELEASE) or that it is already assigned and in conflict (DECLINE).
    If a DHCP message containing a non-zero relay agent IP address is received on an untrusted port, it is dropped.
    This prevents a client from impersonating a router with DHCP Relay and requesting an address for a client possibly in a different network.
    If a DHCP message containing a DHCP Option-82 is received on an untrusted port, it is dropped.
    This prevents a client from attaching specific information into the message that would potentially influence the IP address and other configuration assigned from the server.

    If the packet has passed all these checks and was not dropped, the switch will forward it depending on what type of packet it is.

  20. CCNP
    March 4th, 2018

    @certprepare
    Q15 and 16 are missing in questions. Please provide a latest link for the questions.

  21. recertordie
    March 13th, 2018

    (10) QUESTION 31
    Which type of packet does DHCP snooping continuously check in a production network?
    (What kind of packets is DHCP snooping continuously check in a production network? – contributed in Certprepare)
    A. DHCP Snooping
    B. DHCP Relay
    C. DHCP Request
    D. DHCP Acknowledge
    E. DHCP Reply
    F. DHCP Allow
    Correct Answer: C

    A,B,E, and F aren’t valid DHCP packet types. If I had to chose one answer it would be C.

    http://www.omnisecu.com/tcpip/dhcp-dynamic-host-configuration-protocol-messages.php

  22. A dude and a book
    April 9th, 2018

    Question 31:

    Which type of packet does DHCP snooping continuously check in a production network?

    A. DHCP Snooping
    B. DHCP Relay
    C. DHCP Request
    D. DHCP Acknowledge
    E. DHCP Reply
    F. DHCP Allow

    As mentioned above, A, B and F are not valid packet types. Of C, D and E, C would be the most accurate but both REQUEST and REPLIES are both intercepted while snooping is active. REQUESTS trigger a switch to confirm that a REPLY comes comes from a TRUSTED port. There is another feature that will intercept Untrusted Replies (option 82) and the switch will use it’s own MAC address in the response to help a client reach a real DHCP server.

    From the text “CCNP Routing Switching SWITCH 300-115 2015 pg 451” on DHCP Snooping:

    “A switch intercepts all DHCP REQUESTS coming from untrusted ports before flooding them throughout the VLAN. Any DHCP REPLIES coming from an untrusted port are discarded because they must have come from a rogue DHCP server. In addition, the offending switch port automatically is shut down in the errdisable state”

Comment pages
1 2 761
  1. No trackbacks yet.