Which of the following statements about DHCP snooping are correct? (Select all that apply.)
Correct Answer: A,B,D
Detailed Explanation: DHCP snooping is a security feature available on many Cisco switches that plays a critical role in preventing attacks related to the Dynamic Host Configuration Protocol (DHCP). It is designed to protect the network from unauthorized DHCP servers and to ensure that clients receive IP configuration information only from trusted sources. A. Preventing Unauthorized DHCP Servers: One of the primary functions of DHCP snooping is to ensure that only authorized DHCP servers are allowed to distribute IP addresses on the network. By designating specific ports as trusted (typically uplink ports connected to legitimate DHCP servers) and leaving all other ports as untrusted, the switch can filter DHCP messages. If an untrusted port attempts to send a DHCP offer, the switch will block that message, preventing rogue DHCP servers from assigning IP addresses. This makes Option A correct. B. Building a DHCP Binding Database: When DHCP snooping is enabled, the switch monitors DHCP transactions and creates a binding table that associates a client’s MAC address with its allocated IP address, lease time, VLAN, and port. This database is invaluable for network security as it helps in validating DHCP traffic and is later used by other security features like Dynamic ARP Inspection (DAI). Option B is correct. C. Port Application Restrictions: While DHCP snooping can be enabled on various ports, it is not applied uniformly to both access and trunk ports. Typically, DHCP snooping is configured on access ports where client devices connect. Trunk ports are generally not configured for DHCP snooping because they carry traffic for multiple VLANs, and misconfiguration can lead to unintended blocking of legitimate DHCP traffic. Therefore, Option C is incorrect. D. Mitigating Layer 2 Attacks: By enforcing the trust model for DHCP messages and maintaining an accurate binding database, DHCP snooping helps mitigate several types of Layer 2 attacks, such as DHCP spoofing and certain forms of ARP poisoning. These attacks can compromise network security by intercepting or manipulating IP address assignments. Thus, Option D is correct. Impact on Network Security: DHCP snooping is one component of a layered security approach on enterprise networks. It works in concert with other features such as Dynamic ARP Inspection (DAI) and IP Source Guard to ensure that only valid, authorized DHCP traffic is allowed on the network. This comprehensive approach helps protect against a variety of attacks that exploit weaknesses in Layer 2. Implementation Considerations: When configuring DHCP snooping, network administrators must carefully select which ports are marked as trusted. Typically, only ports that connect to known DHCP servers or uplinks to other switches should be trusted. Misconfiguration—such as trusting ports that connect to end-user devices—can lead to security vulnerabilities and allow unauthorized DHCP responses. Conclusion: DHCP snooping is a critical security feature that prevents rogue DHCP servers (Option A), builds a binding database to enhance security (Option B), and helps mitigate Layer 2 attacks (Option D). However, it is not generally applied to trunk ports without restrictions (making Option C incorrect). Understanding DHCP snooping and its correct implementation is vital for maintaining secure and reliable IP address management in enterprise networks.
This CCNA practice question helps students prepare for Cisco networking certification exams by testing knowledge of network fundamentals, routing, switching, and network security concepts.