Home > DHCP Snooping

DHCP Snooping

March 20th, 2017 in SWITCH 300-115 Go to comments

Quick review of DHCP Spoofing:


DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.


Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

Question 1


To retain the bindings across switch reloads, you must use the DHCP snooping database agent. Without this agent, the bindings established by DHCP snooping are lost upon switch reload. Connectivity is lost as well.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dhcp.html#wp1090370

Question 2


Static DHCP snooping binding defines a mapping between a fixed IP address and the client’s MAC address. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host. This is how to configure a static DHCP snooping binding entry:

Switch#ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface expiry seconds

Question 3


IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

Therefore if the switch receives a packet that does not match any entries found in the DHCP binding database, that packet is assumed to be spoofed and will be discarded.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html

Question 4


The command “ip verify source port-security” enables IP source guard with source IP and MAC address filtering. When using this command, there are two caveats:
+ The DHCP server must support option 82, or the client is not assigned an IP address.
+ The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swdhcp82.html

Question 5


The following restrictions apply to IP source guard:
+ Supported only on ingress Layer 2 ports (including access and trunk ports)
+ Supported only in hardware; not applied to any traffic that is processed in software.
+ Does not support filtering of traffic based on MAC address.
+ Is not supported on private VLANs.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/ip_source_guard.pdf

Question 6


The DHCP snooping binding database contains information about untrusted hosts with leased IP addresses. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, the VLAN number and interface information associated with the host.

Question 7


The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

Question 8


DHCP snooping database contains MAC address-to-IP address bindings which Dynamic ARP Inspection (DAI) uses to determine the validity of an ARP packet.

Question 9


When IP Source Guard with source IP filtering is enabled on an untrusted interface, DHCP snooping must be enabled because it filters traffic based on IP information stored in the corresponding DHCP binding table entry.

Question 10


The function of DAI is:

+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
+ Drops invalid ARP packets

On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source Protocol and Source Hardware address values against the snooping table database for that port.
If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which differs from what was given by the DHCP server.

Question 11


The DHCP snooping database stores at least 8,000 bindings.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Comment pages
1 2 761
  1. Felizardo Miguel
    November 7th, 2016

    Anserw question from teehee:

  2. Dumps Updates
    November 17th, 2016

    I passed the exam tomorrow with 96%. This dumps http://www.testmayor.com/300-115-test.html is valid and all my questions are from this. Need to notice that there is slight change of the answer orders, so be awarded. Read the book and then use these dumps as an aid. Good luck to you all.

  3. rava
    November 20th, 2016

    At least 8000 bindings can be stored on DHCP snooping database with Releases after 12.2(18)SXF5.

  4. John
    December 13th, 2016

    I passed the CCNP (Routing & Switching) 642-648 exam with 90%. Almost each question is from this http://www.grades4sure.com/642-648-exam-questions.html dumps! Such a great work, guys! You can pass the exam easily by using this material alone. About 3 questions were new but all were easy. Thanks for your help!

  5. AXX
    December 22nd, 2016

    Q11 – minimum is not equal to: 1) can store, 2) at least, or 3) up to

    Guidelines and Limitations
    DHCP snooping has the following configuration guidelines and limitations:

    •The DHCP snooping database can store 2000 bindings.


    DHCP Snooping Configuration Restrictions

    • With releases earlier than Release 12.2(18)SXF5, the DHCP snooping database stores a maximum of 512 bindings. If the database attempts to add more than 512 DHCP bindings, all bindings are removed from the database.

    • With Release 12.2(18)SXF5 and later releases, the DHCP snooping database stores at least 8,000 bindings.


    DHCP Snooping Binding Database
    When DHCP snooping is enabled, the switch uses the DHCP snooping binding database to store information about untrusted interfaces. The database can have up to 8192 bindings.


    DHCP Snooping Configuration Restrictions
    • The DHCP snooping database stores at least 12,000 bindings


  6. shrek
    December 23rd, 2016

    in Q7 it ask “Which command is needed to enable DHCP snooping …” not “which command is needed to configure a port as a trusted port” so the answer should be “ip dhcp snooping” not “ip dhcp snooping trust” right? please correct me if i’m wrong.
    thnk u in advance

  7. Jake
    December 27th, 2016

    Q7 is correct because the last part of the question specifies it “if a switchport is connected to a DHCP server”. The questions is asking about port configuration not global.

  8. noman
    January 11th, 2017

    Which option is the minimum number of bindings that the DHCP snooping databas can store???


  9. Anonymous
    January 11th, 2017

    8000 binding

  10. Digit-All
    May 21st, 2017

    Shrek “ip dhcp snooping trust” is specific to an interface connected to dhcp server while “ip dhcp snooping” is a global command. So, answer is correct.

Comment pages
1 2 761
  1. No trackbacks yet.