An engineer is implementing DHCP security mechanisms and needs the ability to add additional attributes to profiles that are created within Cisco ISE. Which action accomplishes this task?
A.
Use DHCP option 82 to ensure that the request is from a legitimate endpoint and send the information to Cisco ISE.
B.
Define MAC-to-IP address mappings in the switch to ensure that rogue devices cannot get an IP address.
C.
Modify the DHCP relay and point the IP address to Cisco ISE.
D.
Configure DHCP snooping on the switch VLANs and trust the necessary interfaces.
C is correct:
Under the same interfaces, another ip helper-address command is configured to point to the ISE PSN interface enabled with the DHCP probe. The ISE Policy Service node will not reply to these packets, but the goal is simply to send a copy of the requests to ISE for parsing of DHCP attributes. It is possible to configure multiple IP Helper targets on Cisco devices to allow multiple ISE Policy Service nodes to receive copies of the DHCP requests.
https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456#toc-hId-826550277
DHCP Option 82, also known as the DHCP Relay Agent Information Option, is a feature that allows network devices to add additional information to DHCP requests.
https://www.cisco.com/c/es_mx/support/docs/wireless/4400-series-wireless-lan-controllers/113302-dhcp-option82-00.html
Answer D.
The task was to implement DHCP security (#1) and the ability to add additional attributes to profiles that are created within ISE (#2).
Additional attributes (#2) could be added with answer A (DHCP option 82).
DHCP security (#1) is implemented with answer D. Enabling DHCP snooping also enabling DHCP option 82. So both tasks are fullfiled with this.
Answer C makes no sense because of "Modify". Furthermore, this answer fails to achieve both goals.
It seems so, that the 2nd ip-helper address for ISE is already configured.
https://community.cisco.com/t5/switching/why-does-dhcp-snooping-insert-option-82-at-all/td-p/3091608
I thought maybe C was the better option, but it says "Modify". Which means you would be changing the current IP Helper and not adding a helper. I feel C would be better answer if it said "Add".
Actually the IP Helper pointing to the ISE server is to send attributes to the ISE server for profiling purposes. IP Helpers can also be used for other purposes...
upvoted 1 times
...
...
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ums008
Highly Voted 1 year, 4 months agowowako
Most Recent 3 days, 20 hours agoMPoels
9 months, 1 week agoLTLnetworker
10 months, 1 week agoIETF1
1 year agoGoldFree
1 year, 3 months agofdl543
1 year, 4 months agounclemonkeyboy
1 year, 6 months agojohtte
1 year, 5 months agoGoldFree
1 year, 3 months ago