Home > DHCP Snooping 2

DHCP Snooping 2

March 24th, 2018 in SWITCH 300-115 Go to comments

Question 1

Explanation

The DHCP snooping database stores at least 8,000 bindings.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Question 2

Explanation

IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/ip_source_guard.html

Before enabling IP Source Guard, DHCP Snooping must be enabled as a prerequisite. Let’s see an example of how to configure IP Source Guard.

IP_Source_Guard.jpg

Enable DHCP Snooping first:

Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 1
Switch(config)#int fa0/1
Switch(config-if)#ip dhcp snooping trust
Switch(config)#int fa0/14
Switch(config-if)#ip dhcp snooping limit rate 20

Next we can start configuring IP Source Guard.

Switch(config)#int fa0/14
Switch(config-if)#ip verify source

IP Source Guard is configured at the access layer (in this case under interface Fa0/14) and uses the DHCP Snooping database, or static IP binding entries, to dynamically create ACLs on a per-port basis. Any traffic which doesn’t match the binding entries is dropped in hardware.

If we want to enable IP source guard with source IP and MAC address filtering, use the command “ip verify source port-security” instead (Port security and option 82 is not necessary if you are not using MAC verification).

Well now maybe you understand about IP source guard. Let’s learn about option 82.

When a client initially connects to a port protected by IP source guard (Fa0/14 of the switch in the above case) only DHCP discover and request messages are allowed, everything else is dropped. An important point to keep in mind is that at this point no traffic, including DHCP, will cause the switch to add an entry for the client in the CAM table and therefore when the DHCP server responds with an offer the switch will not know where to send the packet. And when DHCP snooping is enabled, replies from the DHCP server are not flooded out all ports if there is no entry in the CAM, so the DHCP offer will be dropped. To get around this, DHCP option 82 (or Relay Agent Information) is necessary. Option 82 is a frequently misunderstood value, likely because unlike other options it is not set by the DHCP server, rather it is set by an intermediary device such as a DHCP relay agent or a switch. Option 82 is made up of two fields, the circuit ID and remote ID.

When a DHCP packet is received on an untrusted port the switch adds the option 82 information and sends it on it’s way, if the option 82 field already exists the packet will be dropped (this behavior can be changed by using the ‘ip dhcp snooping information option allow-untrusted’ command under interface configuration). When the DHCP server receives the discover it is expected to return the values in option 82 with it’s offer. Assuming that the server does support option 82 and returns an offer with the information intact, the switch will determine whether it is the originator of the option 82 information by checking whether the MAC address in the remote ID field matches it’s own, it then looks at the VLAN, module, and port carried in the circuit ID field to find out which port the packet should be sent out, the switch then strips option 82 out of the packet and forwards it to the specified port. The same process will occur with the request and ack portion of DHCP. If the offer is sent back from the DHCP server without the option 82 information the switch is unable to determine where the packet should be sent and drops it.

Reference: http://vcabbage.com/networking/2010/08/07/ip-source-guard.html

Question 3

Question 4

Explanation

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

+ Validates DHCP messages received from untrusted sources and filters out invalid messages.
+ Rate-limits DHCP traffic from trusted and untrusted sources.
+ Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
+ Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Reference: https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html

Question 5

Explanation

To configure DHCP snooping feature, at least three steps must be done:

Sequence and Description Command
1. Configure global DHCP snooping Switch(config)# ip dhcp snooping
2. Configure trusted ports (as least on 1 port).
By default, all ports are untrusted
Switch(config-if)# ip dhcp snooping trust
3. Configure DHCP snooping for the selected VLANs Switch(config)# ip dhcp snooping vlan {VLAN-ID | VLAN range}

Other steps are just optional:

+ Configure DHCP Option 82
Switch(config)# ip dhcp snooping information option

+ Configure the number of DHCP packets per second (pps) that are acceptable on the port:
Switch(config-if)# ip dhcp snooping limit rate {rate}

Reference: SWITCH Student Guide

Note: To configure DHCP snooping with Dynamic ARP Inspection we need to add the command “ip arp inspection vlan vlan-id” in global configuration mode and “ip arp inspection trust” in interface mode.

Question 6

Explanation

The DHCP snooping feature updates the database when the switch receives specific DHCP messages. For example, the feature adds an entry to the database when the switch receives a DHCPACK message from the server.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Question 7

Question 8

Question 9

Explanation

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

+ Validates DHCP messages received from untrusted sources and filters out invalid messages.
+ Rate-limits DHCP traffic from trusted and untrusted sources.
+ Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
+ Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Reference: https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html

Note: In fact this question is same as Question 14 of https://www.certprepare.com/dhcp-snooping

Question 10

Explanation

Note: To configure DHCP snooping with Dynamic ARP Inspection we need to add the command “ip arp inspection vlan vlan-id” in global configuration mode and “ip arp inspection trust” in interface mode.

Comments
  1. mashir
    May 13th, 2018

    Refer to the exhibit. Which configuration on the HSRP neighboring device ensures that it becomes the active HSRP device in the event that port fa1/1 on Switch_A goes down

    Switch_A(config-if)# ip address 10.10.10.1 255.255.255.0
    Switch_A(config-if)# standby 1 priority 200
    Switch_A(config-if)# standby 1 preempt
    Switch_A(config-if)# standby 1 track interface fa 1/1
    Switch_A(config-if)# standby 1 ip 10.10.10.10

    A.
    Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0
    Switch_B(config-if)#standby 1 priority 200
    Switch_B(config-if)#standby 1 preempt
    Switch_B(config-if)#standby 1 ip 10.10.10.10
    Switch_B(config-if)#standby 1 track interface fa 1/

    C.
    Switch_B(config-if)#ip address 10.10.10.2 255.255.255.0
    Switch_B(config-if)#standby 1 priority 195
    Switch_B(config-if)#standby 1 preempt
    Switch_B(config-if)#standby 1 ip 10.10.10.10

    in pdf the answer is “c” but how please explain

  2. Anonymous
    May 20th, 2018

    SW_A is tracking fa1/1 if it goes down tracking decrements swA priority by 10 and then because SW_B has higher priority of 195 it will become active.

  3. DUMPS
    June 6th, 2018

    latest dumps.
    100% Guaranteed VALID passing Material

    CCNA 200-125 LAtest Dumps
    CCNP ROUTE 300-101 Latest Dumps
    CCNP SWITCH 300-115 LAtest Dumps
    CCNP TSHOOT 300-135 LAtest Dumps
    CCIE R&S 400-101 LAtest Dumps

    CALL For any HELP:: 001 (347) 696-4896

    COPY BELOW LINK:
    docdro.id/DztJppO

  1. No trackbacks yet.