Home > DHCP Snooping

DHCP Snooping

September 4th, 2017 in SWITCH 300-115 Go to comments

Quick review of DHCP Spoofing:

DHCP_Spoofing_Attack.jpg

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

DHCP_Spoofing_Attack_Trust_Untrust_Ports.jpg

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

Question 1

Explanation

To retain the bindings across switch reloads, you must use the DHCP snooping database agent. Without this agent, the bindings established by DHCP snooping are lost upon switch reload. Connectivity is lost as well.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dhcp.html#wp1090370

Question 2

Explanation

Static DHCP snooping binding defines a mapping between a fixed IP address and the client’s MAC address. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host. This is how to configure a static DHCP snooping binding entry:

Switch#ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface expiry seconds

Question 3

Explanation

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

Therefore if the switch receives a packet that does not match any entries found in the DHCP binding database, that packet is assumed to be spoofed and will be discarded.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html

Question 4

Explanation

The command “ip verify source port-security” enables IP source guard with source IP and MAC address filtering. When using this command, there are two caveats:
+ The DHCP server must support option 82, or the client is not assigned an IP address.
+ The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swdhcp82.html

Question 5

Explanation

The following restrictions apply to IP source guard:
+ Supported only on ingress Layer 2 ports (including access and trunk ports)
+ Supported only in hardware; not applied to any traffic that is processed in software.
+ Does not support filtering of traffic based on MAC address.
+ Is not supported on private VLANs.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/ip_source_guard.pdf

Question 6

Explanation

The DHCP snooping binding database contains information about untrusted hosts with leased IP addresses. Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, the VLAN number and interface information associated with the host.

Question 7

Explanation

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

Question 8

Explanation

DHCP snooping database contains MAC address-to-IP address bindings which Dynamic ARP Inspection (DAI) uses to determine the validity of an ARP packet.

Question 9

Explanation

When IP Source Guard with source IP filtering is enabled on an untrusted interface, DHCP snooping must be enabled because it filters traffic based on IP information stored in the corresponding DHCP binding table entry.

Question 10

Explanation

The function of DAI is:

+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
+ Drops invalid ARP packets

On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source Protocol and Source Hardware address values against the snooping table database for that port.
If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which differs from what was given by the DHCP server.

Question 11

Explanation

The DHCP snooping database stores at least 8,000 bindings.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Question 12

Explanation

IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/ip_source_guard.html

Before enabling IP Source Guard, DHCP Snooping must be enabled as a prerequisite. Let’s see an example of how to configure IP Source Guard.

IP_Source_Guard.jpg

Enable DHCP Snooping first:

Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 1
Switch(config)#int fa0/1
Switch(config-if)#ip dhcp snooping trust
Switch(config)#int fa0/14
Switch(config-if)#ip dhcp snooping limit rate 20

Next we can start configuring IP Source Guard.

Switch(config)#int fa0/14
Switch(config-if)#ip verify source

IP Source Guard is configured at the access layer (in this case under interface Fa0/14) and uses the DHCP Snooping database, or static IP binding entries, to dynamically create ACLs on a per-port basis. Any traffic which doesn’t match the binding entries is dropped in hardware.

If we want to enable IP source guard with source IP and MAC address filtering, use the command “ip verify source port-security” instead (Port security and option 82 is not necessary if you are not using MAC verification).

Well now maybe you understand about IP source guard. Let’s learn about option 82.

When a client initially connects to a port protected by IP source guard (Fa0/14 of the switch in the above case) only DHCP discover and request messages are allowed, everything else is dropped. An important point to keep in mind is that at this point no traffic, including DHCP, will cause the switch to add an entry for the client in the CAM table and therefore when the DHCP server responds with an offer the switch will not know where to send the packet. And when DHCP snooping is enabled, replies from the DHCP server are not flooded out all ports if there is no entry in the CAM, so the DHCP offer will be dropped. To get around this, DHCP option 82 (or Relay Agent Information) is necessary. Option 82 is a frequently misunderstood value, likely because unlike other options it is not set by the DHCP server, rather it is set by an intermediary device such as a DHCP relay agent or a switch. Option 82 is made up of two fields, the circuit ID and remote ID.

When a DHCP packet is received on an untrusted port the switch adds the option 82 information and sends it on it’s way, if the option 82 field already exists the packet will be dropped (this behavior can be changed by using the ‘ip dhcp snooping information option allow-untrusted’ command under interface configuration). When the DHCP server receives the discover it is expected to return the values in option 82 with it’s offer. Assuming that the server does support option 82 and returns an offer with the information intact, the switch will determine whether it is the originator of the option 82 information by checking whether the MAC address in the remote ID field matches it’s own, it then looks at the VLAN, module, and port carried in the circuit ID field to find out which port the packet should be sent out, the switch then strips option 82 out of the packet and forwards it to the specified port. The same process will occur with the request and ack portion of DHCP. If the offer is sent back from the DHCP server without the option 82 information the switch is unable to determine where the packet should be sent and drops it.

Reference: http://vcabbage.com/networking/2010/08/07/ip-source-guard.html

Question 13

Question 14

Explanation

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

+ Validates DHCP messages received from untrusted sources and filters out invalid messages.
+ Rate-limits DHCP traffic from trusted and untrusted sources.
+ Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
+ Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Reference: https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html

Comments
Comment pages
1 2 761
  1. john
    April 20th, 2015

    I dont get Q10

  2. Nike
    April 21st, 2015

    DAI

  3. Mike
    April 26th, 2015

    Q6: Answer should be B, not A.

  4. maximax
    April 27th, 2015

    Mike A is right.

    The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.pdf

  5. Need Helping
    May 1st, 2015

    Guys please take a coffee break, a cigarette if you smoke and come back and read slowly what the untrusted port purpose is for:
    The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.

  6. john
    June 1st, 2015

    is Q10 a complete question?

  7. JBeam
    June 13th, 2015

    @ John would it make more sense if it was worded like this?
    Which switch feature determines validity of all ARP requests and responses on untrusted ports based on IP-to-MAC address bindings that are stored in a trusted database?

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swdynarp.html

  8. cls
    June 30th, 2015

    For Q4 why is it not b?

  9. Cee Baaddy
    July 11th, 2015

    Q6 wrong

    answer is B

    dunnndddaaaag nyooon

  10. Rafi
    July 15th, 2015

    Q6 ans A is correct !

    “Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.”

    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_2/security/configuration/guide/n1000v_security/n1000v_security_12dhcpsnoop.html

  11. uxorious01
    July 24th, 2015

    Question #6 correct answer is A

    Question #10 the key word is “trusted”

    The only IP-to-MAC address bindings are
    1: ARP
    2: DHCP

    One is trusted and the other is untrusted.

    Remember:
    ARP – Trusted
    DHCP – Untrusted

    and you will get them right on the exam

  12. Tedy_Bear
    August 23rd, 2015

    Q6 – Corect answer is A untrusted

    DHCP Snooping Binding Database

    The DHCP snooping binding database is also referred to as the DHCP snooping binding table.

    The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

  13. certprepare
    August 29th, 2015

    Because of copyrighted issues, certprepare had to remove all questions and answers. You can download them at http://www.mediafire.com/view/9mq20kx0mgam6k7/SWITCH_July_2015.pdf

  14. reezinmohamed
    September 2nd, 2015

    Question 10 Answer A is correct

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swdynarp.html#wp1041210

    *Intercepts all ARP requests and responses on untrusted ports

    •Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination

    •Drops invalid ARP packets

  15. Correct
    September 22nd, 2015

    Question 2 is incorrect. If you read the question carefully it says a server with a “static” IP. This server would not be getting a DHCP static binding it is not using DHCP. You would label this port as a trusted source. Answer is C.

  16. DAI
    October 8th, 2015

    my name is DAI

  17. Lucky
    October 14th, 2015

    @Correct is correct…

  18. alb
    October 20th, 2015

    @Correct just might be right, but don’t focus too much on ‘DHCP’ instead consider an option saying ‘configure a static… entry’ and that gives it a different meaning to your interpretation.

  19. Rajeev
    October 27th, 2015

    Guys, Q7 it asks for “Which command is needed to enable DHCP snooping if a switchport is connected to a DHCP server?”
    to enable DHCP snooping, the answer is B isnt it?

  20. Study for Switch
    November 8th, 2015

    Question 2, correct answer would be B. We only configure ip dhcp snooping trust command ONLY on interface where “DHCP SERVER” is connected or on trunk interfaces connecting to other switches. If any machine with static ip address is connected on switch confgiured with dhcp snooping, we do NOT mark that port as ip dhcp snooping trust but add a static dhcp snooping binding entry. Hope it is clear now

  21. Ramadan
    November 10th, 2015

    Hi Guys, I agree with Rajeev’s answer. Before trusting any port for DHCP server. we have to enable DHCP snooping globally by using ip dhcp snooping.
    if you didn’t write this command the dhcp snooping will be disabled
    I believe the answer is B

  22. uche
    December 8th, 2015

    @Ramadan, the question refers to “switchport”.

  23. helper
    February 18th, 2016

    i dont know why Q10 looks wierd at first.. but after a while.. looking it and thinking about it. it makes perfect sense… the fact that is says IP TO MAC should be a dead giveaway that its DAI..

  24. helper
    February 21st, 2016

    i also have a problem with question 2.. i chose C, but the pdf claims B. now look at Q7..

    basically the same question worded differently… Q2 is C by that regard.

  25. Stikazzi
    February 21st, 2016

    Q2: Option 82 is added by the switch that inspects the DHCP request. As far as I know this behavior is enabled by default but it could be disabled, so I don-t understand why the official documentation for the 2960 router says that the DHCP must support option 82.
    There is a nice article here, but is does not talk about the specific case where “ip source verify” is enabled.
    I would go with C…but still I am not sure.

  26. Stikazzi
    February 21st, 2016

    I forgot to add the link with the articleL http://packetpushers.net/ccnp-studies-configuring-dhcp-snooping/

  27. Stikazzi
    February 21st, 2016

    Q2: I changed my mind after reading this wonderful article:
    http://brbccie.blogspot.com/2013/03/dhcp-snooping-and-option-82.html

    We have two aspects to consider:

    1 – IP SOURCE GUARD FEATURE: detects IP spoofing (optionally MAC spoofing). Must be enabled per port. “After IPSG is enabled on an interface, the switch blocks all IP traffic received on the interface except for DHCP packets allowed by DHCP snooping ” allowing the client to send a request to the DHCP. In addition to that , the question specifies that IPSG is enablde on client ports only.THIS FEATURE IS NOT THE PROBLEM . We don’t need to create a static entry! In addition to that, option C does not state to create a static entry for IPSG

    2 – DHCP SNOOPING FEATURE when DHCP snooping is enabled all ports are untrusted by default. On this kind of port DHCP replies cannot be received. Now, the question does not mention whether the port on the switch connected to the router/DHCPserver is trusted or not but as far as I understand , in case the port is untrusted , the DHCP reply is simply dropped. Static mapping is not used to allow DHCP replies. You can create static entries, but they are used from other features such as DAI or IPSG

    Considering the lab you can see following the link at the top of this post , it is clear that Option82 is enabled by default when DHCP snooping is activated and it also clear that we we have two workarounds to get rid of the option 82 issue (read the article to kwon what they are).

    As far as I know, —->there is no way to create a static entry<—— for DHCP snooping database. You could create one for the IPSG, but in this case it is not necessary

  28. Stikazzi2
    February 22nd, 2016

    Q2: I changed my opinion: Answer must be that option 82 must be enabled. If you take a look at the documentation, you will find that the only way to block a DHCP reply….. is either to set the port in untrust mode. Static entries has nothing to do with DHCP snooping itself: they are used by either IPSG or DAI, but in this case the question states that IPSG has not been enabled on the server port.

  29. SkipTrace
    February 24th, 2016

    Q11 on the Exam is one of the worst questions I’ve seen.. The question asks:
    Which option is the minimum number of bindings that the DHCP snooping database can store?

    According to Cisco docs the MAXIMUM is 2000 entries, but I swear on the actual exam is asked for minimum which makes no sense… Can anyone confirm?

  30. SkipTrace
    February 24th, 2016

    Oh, and in the dump it says 8000 which apparently is completely wrong!

  31. Stikazzi2
    February 25th, 2016
  32. vivvi
    February 27th, 2016

    I would go with the Catalyst instead of the Nexus docs

  33. xxx
    February 28th, 2016

    SkipTrace: can confirm exam says minimum entries with the lowest option being 1000, slighly stuck, seems the wording is wrong?

  34. xxx
    February 28th, 2016

    Looks like Stikazzi2 is right. answer must be 8000

    •The DHCP snooping database stores at least 8,000 bindings.

  35. Spongebob
    February 29th, 2016

    Good Day all,
    I would like to know if there is any way I can see the questions discussed above? I can currently only see answers? Thanks a lot this page is amazing! Happy studding to everyone!

  36. Lucky19th
    March 2nd, 2016

    For the following Question
    A server with a statically assigned IP address is attached to a switch that is provisioned for DHCP
    snooping. For more protection against malicious attacks, the network team is considering enabling dynamic ARP inspection alongside DHCP snooping. Which solution ensures that the server maintains network reachability in the future?
    A. Disable DHCP snooping information option.
    B. Configure a static DHCP snooping binding entry on the switch.
    C. Trust the interface that is connected to the server with the ip dhcp snooping trust command.
    D. Verify the source MAC address of all untrusted interfaces with ip dhcp snooping verify macaddress
    command.
    The Dump says B.
    But any reason why C is not the right answer?
    Thanks for the help.

  37. Speedy 6 Nipples
    March 11th, 2016

    I think the DHCP snooping regarding database binding minimums is not graded in the exam. It is well known that Cisco includes non-graded “beta” test questions. I found the following information for the Cisco 7600 series router/L3 switch:

    DHCP Snooping Configuration Restrictions

    When configuring DHCP snooping, note these restrictions:

    The PFC2 does not support DHCP snooping.
    With releases earlier than Release 12.2(18)SXF5, the DHCP snooping database stores a maximum of 512 bindings. If the database attempts to add more than 512 DHCP bindings, all bindings are removed from the database.
    With Release 12.2(18)SXF5 and later releases, the DHCP snooping database stores at least 8,000 bindings.
    With Release 12.2(18)SRA and later releases, the DHCP snooping database stores at least 64,000 bindings.

    Looking through current and previous CCNP Switch cert guides, there is no mention of the minimum or maximum number of entries in the DHCP snooping entries database.

  38. Speedy 6 Nipples
    March 11th, 2016

    I found this information on the Cisco 3750G regarding DHCP snooping database bindings:

    DHCP Snooping Binding Database

    When DHCP snooping is enabled, the switch uses the DHCP snooping binding database to store information about untrusted interfaces. The database can have up to 8192 bindings.

  39. Speedy 6 Nipples
    March 18th, 2016

    Q6:
    Answer is A
    ————————————-
    The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1101941

  40. FustratedCCNPLoser
    March 26th, 2016

    My exam was taken on 3/25/2016 as I ended up with a humiliating 643/1000. All my study material was from the CiscoPress eBook (300-115), CBT Nuggets, VCE dumps (191q) and Certprep (SWITCH_JULY_2015). I put in 6-7 study hours a day for nearly a month to pass 300-115 with extreme confidence, but I was shot down when I was roasted by the exam. The latest dumps from this site only covered about 25% of the questions given, but all the Lab Sim simulation were correct as I had LACP with STP / HRSP / AAA. I was easily able to finish the lab sims on the exam with success but fell way short when it came the questions with educated guesses. I would like to know if anyone can help me out to receive the latest dumps soon. Thanks. c_brotha @ yahoo.com

  41. DHCP Snooper
    May 4th, 2016

    The DHCP database can hold more than 8000 entries. Here’s proof.

    I added more than 8000 entries to the DHCP binding table using the exec command (not a config command btw). I used a spreadsheet to construct the entries. Once added successfully to a 3750 switch, I configured a DHCP snooping agent to write them to flash. Then I used the IOS to count the lines containing the interface and the number was > 8000.

    The database format is in clear text and is published by Cisco. There is one entry per line with the interface name in it.

    The configuration:
    C3750#show run | include snoop
    ip dhcp snooping database flash:/dhcpsnoop <– writes to the local flash
    ip dhcp snooping database write-delay 30 <– wanted to force it to write more often for testing
    ip dhcp snooping database timeout 301 <– Just testing the values
    ip dhcp snooping <– turns it on

    C3750#dir flash:dhcpsnoop
    Directory of flash:/dhcpsnoop

    430 -rwx 698605 Mar 1 1993 11:00:49 +00:00 dhcpsnoop <– proof the database exists and got pretty big

    C3750#more dhcpsnoop | count Gi1/0/1 <– count the lines that contain the interface added
    Number of lines which match regexp = 8519 <– Absolute proof that the "snooping database" holds at least 8000 lines.

    C3750#show ip dhcp snooping binding <– Sample bindings… I hit CTRL-C
    MacAddress IpAddress Lease(sec) Type VLAN Interface
    —————— ————— ———- ————- —- ——————–
    00:00:00:00:84:92 10.0.34.44 infinite dhcp-snooping 1 GigabitEthernet1/0/1
    00:00:00:00:84:69 10.0.34.21 infinite dhcp-snooping 1 GigabitEthernet1/0/1
    00:00:00:00:77:75 10.0.31.95 infinite dhcp-snooping 1 GigabitEthernet1/0/1
    00:00:00:00:76:56 10.0.31.232 infinite dhcp-snooping 1 GigabitEthernet1/0/1
    00:00:00:00:75:23 10.0.30.99 infinite dhcp-snooping 1 GigabitEthernet1/0/1
    00:00:00:00:72:80 10.0.29.112 infinite dhcp-snooping 1 GigabitEthernet1/0/1
    00:00:00:00:71:86 10.0.29.18 infinite dhcp-snooping 1 GigabitEthernet1/0/1
    00:00:00:00:70:62 10.0.28.150 infinite dhcp-snooping 1 GigabitEthernet1/0/1
    00:00:00:00:58:51 10.0.23.219 infinite dhcp-snooping 1 GigabitEthernet1/0/1
    00:00:00:00:58:20 10.0.23.188 infinite dhcp-snooping 1 GigabitEthernet1/0/1

    Total number of bindings: 8519

    C3750#show ip dhcp snooping binding | include Total
    Total number of bindings: 8519 <– Proof the in-memory binding table holds "at least" 8000 entries

    C3750#show ver
    Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(50)SE3, RELEASE SOFTWARE (fc1) <– Proof of Catalyst based 3750 switch which is most relevant.

  42. Milton
    May 10th, 2016
  43. Veritrini
    May 30th, 2016

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/dhcp_snooping.pdf

    This document states its at least 12,000 bindings. This leaves me to beleive that the number of bindings vary per switch model.

    Can anyone clarify this?

  44. Wally
    June 1st, 2016

    That Q11 is a shambles. Also surely its Maximum not Minimum ?

  45. MrRight
    June 20th, 2016

    Which option is the minimum number of bindings that the DHCP snooping database can store?

    The right answer is 8000. In the actual exam said “minimum” but they mean “maximum”

    Cisco Nexus 7000 Series ( NX-OS ) DHCP snooping database can store 2000 bindings.

    Cisco Catalyst 6500 Series ( IOS series 12.2SX ) DHCP snooping database can store 8000 bindings.

  46. CLI
    July 4th, 2016

    Q2: the network team is considering enabling dynamic ARP inspection alongside DHCP snooping.
    R/B:Configure a static DHCP snooping binding entry on the switch.

  47. sii
    August 23rd, 2016

    hi all
    can any one send the vce player sopprusbarbosa at gmail . com

  48. cg
    October 22nd, 2016

    DHCP snooping Q7
    can anybody clarify the situation?
    “ip dhcp snooping” is needed to enable the function;
    “ip dhcp snooping trust” on the interface is required to keep dhcp working with the server attached to this port.
    Whichof the two answers is for this question?

  49. Felizardo Miguel
    November 7th, 2016

    Anserw question from teehee:

Comment pages
1 2 761
  1. No trackbacks yet.