An administrator is configuring a DHCP server to better secure their environment. They need to be able to rate-limit the traffic and ensure that legitimate requests are not dropped. How would this be accomplished?
Folks, we have lots of wrong answers verified and provided by "experts", there's no need to supply wrong answers by ourselves here. You can't add entries to DHCP snooping database. It's wrong answer. The only case when you create mapping of IP to MAC and VLAN and port is configuring "ip source guard" but it is not the same as DHCP snooping.
Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed
https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/www.cisco.com/content/dam/en/us/td/docs/switches/lan/catalyst4500/XE35-0XO/configuration/guide/dhcp.fm/jcr:content/renditions/config_dhcp.html.xml
If you won't to configure DAI (Dynamic ARP Inspection) and IP Source Guard (IPSG) you must add statically assigned IP addresses to the DHCP snooping database, as DAI and IPSG are using it.
Depending on platform and version you can add static entries into the DHCP snooping database:
- Router# ip dhcp snooping binding binding_id vlan vlan_id interface interface expiry lease_time
- Switch# ip dhcp snooping binding mac-addr vlan vlan ipaddr interface ifname expiry lease-in-seconds
Please, do not call someone "expert" just because you are not.
Basically, DHCP snooping drops DHCP offers on untrusted ports. However, Catalyst switches do not forward DHCP discovers on untrusted ports. If do not trust the port of the valid DHCP server, then the legitimate discovers will be dropped. That is why I choose A. See source below:
https://networklessons.com/switching/dhcp-snooping
This answer is A as shown below from the offical cert guide, don't over think it.
The DHCP snooping feature determines whether traffic sources are trusted or untrusted. An
untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks,
the DHCP snooping feature filters messages and rate-limits traffic from untrusted sources.
The following steps are required to implement DHCP snooping on your network:
Step 1. Define and configure the DHCP server. Configuration of this step does not take
place on the switch or router and is beyond the scope of this book.
Step 2. Enable DHCP snooping globally.
Step 3. Enable DHCP snooping on at least one VLAN. By default, DHCP snooping is
inactive on all VLANs.
Step 4. Ensure that the DHCP server is connected through a trusted interface.
By default, the trust state of all interfaces is untrusted.
Step 5. Configure the DHCP snooping database agent. This step ensures that database
entries are restored after a restart or switchover.
It's possible to do this with D , eg. downloading the snooping database from tftp server (taken from DHCP server)... but cumbersome ... I am not sure if enough answer shall be A
or D ....
source - any IOS , IIS-XE, NX-OS ... DHCP snoopoing config guide ... https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus3548/103x/configuration/security/cisco-nexus-3548-nx-os-security-configuration-guide-103x/m-configuring-dhcp-snooping.pdf
Answer is not A, I know because this is one of my few mistakes a couple of days ago. Admin, if you are reading this please provide the correct answer and I ask you not to post this comment
Aswer A
The DHCP snooping feature determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, the DHCP snooping feature filters messages and rate-limits traffic from untrusted sources.
Vote for A
Ensure that legitimate requests are not dropped (without trusted interface the traffic is dropped).
This will also satisfy the request "able to rate-limit the traffic". "Able to", meaning it can be configured.
I choose "A". The question said "An administrator is configuring a DHCP server", the DHCP server is a new setup, so it should not have trust interface before, we need to setup it once the DHCP server is newly installed.
Finally, I choose "C". The rate limiting would not be enabled by default when ip dhcp snooping is configured. However, it will be enabled on untrust interface once the arp inspection is enabled.
DHCP snooping has no default rate limit
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/snoodhcp.pdf
hence only C make sense
D is the correct answer!
A enable trust on the interface connected to the DHCP server. the trust statement has nothng to do with rate limit!
C is also not correct! you can't set rate limit on ARP inpection.
But with D,
Switch(config-if)#ip dhcp snooping limit rate ?
<1-2048> DHCP snooping rate limit
Switch(config-if)#ip dhcp snooping limit rate
Answer is C
Setting a trusted interface is setting rate limit to unlimted so A is wrong.
DAI performs validation checks in the CPU, so the number of incoming ARP packets is rate-limited to prevent a denial of service attack. By default, the rate for untrusted interfaces is set to 15 packets per second, whereas trusted interfaces have no rate limit.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html#75013
This section is not available anymore. Please use the main Exam Page.350-701 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
zheka
Highly Voted 3 years, 4 months agoRododendron2
11 months, 3 weeks agoBoxX
1 year, 9 months agoRandom000
2 years, 7 months agopsuoh
2 years, 3 months agoPremium_Pils
Most Recent 6 months, 2 weeks agoDemon_Queen_Velverosa
7 months, 1 week agoRododendron2
11 months, 3 weeks ago4pelos
1 year, 1 month agoxziomal9
1 year, 5 months agokvothe86
1 year, 8 months agoCokamaniako
1 year, 9 months agoBoxX
1 year, 9 months agoBandito
1 year, 10 months agogc999
1 year, 10 months agogc999
1 year, 10 months agogc999
1 year, 10 months agoJessie45785
1 year, 10 months agoDorr20
2 years agoangry
2 years, 1 month agoTotosos1
2 years, 1 month agopsuoh
2 years, 3 months agopsuoh
2 years, 3 months agoEmlia1
2 years, 4 months ago