Exam 200-301 topic 1 question 650 discussion

Use the following steps to enable DHCP snooping: Step 1. Enable DHCP snooping by using the "ip dhcp snooping" global configuration command. Step 2. On trusted ports, use the "ip dhcp snooping trust" interface configuration command. Step 3. Limit the number of DHCP discovery messages that can be received per second on untrusted ports by using the "ip dhcp snooping limit rate (rate in secs)" interface configuration command. Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the "ip dhcp snooping vlan (vlan or vlan range)" global configuration command.

DHCP snooping is a security feature in networking that helps prevent unauthorized or malicious DHCP servers from distributing incorrect IP addresses or configurations to network clients. One of its functions is to rate-limit certain DHCP traffic to protect against potential DHCP-based attacks. This helps ensure the integrity and security of the DHCP process within the network.

B is correct

Inded, DHCP Snooping mitigate DoS attacks (such as, DHCP starvation attack). However, it would be more complicated to mitigate a DDoS attack with DHCP Snooping.

B. The DHCP snooping feature determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, the DHCP snooping feature filters messages and rate-limits traffic from untrusted sources.

B. rate-limits certain traffic

The answer is D (provides DDoS mitigation). One of the attacks that it prevents is DHCP Starvation attack, which is a dynial of service. Definitely not B. Read carefully "rate-limit certain TRAFFIC !" it is not the same as limit the number of DHCP discovery messages! rate-limit kinda ~ speed-limit. Definitely not that DHCP does.

answer is B

Rate-limits DHCP traffic from trusted and untrusted sources. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/snoodhcp.pdf

I go with B, bc: In DHCP process you ave: DHCP discover -> broadcast DHCP Offer -> unicast DHCP acknowledgement -> unicast so we can sort out A, because there is no multicast packet in the DHCP procedure. C and D are also bad, but because they are not in sight with dhcp...

answer is correct, another function for that it determines which DHCP messages are valid I checked that and found its on Cisco 200-105 exam

Answer B is correct: https://community.cisco.com/t5/switching/ip-dhcp-snooping-limit-rate-command/td-p/1203764 . There is actually a command just for this rate limiting feature on both trusted and untrusted interfaces.

I think the answer is D (provides DDoS mitigation). One of the attacks that it prevents is DHCP Starvation attack, which is a dynial of service. Common Attacks Prevented by DHCP Snooping DHCP Spoofing Attack DHCP spoofing occurs when an attacker attempts to respond to DHCP requests and trying to list itself (spoof) as the default gateway or DNS server, hence, initiating a man in the middle attack. With that, it is possible that they can intercept traffic from users before forwarding to the real gateway or perform DoS by flooding the real DHCP server with requests to choke IP address resources. DHCP Starvation Attack DHCP starvation attack commonly targets network DHCP servers, in a bid to flood the authorized DHCP server with DHCP REQUEST messages using spoofed source MAC addresses. The DHCP server will respond to all requests, not knowing this is a DHCP starvation attack, by assigning available IP addresses, resulting in the depletion of DHCP pool. https://community.fs.com/blog/what-is-dhcp-snooping-and-how-it-works.html