A network technician is tasked with configuring DHCP Snooping on a Cisco switch. Which of the following port types should typically be configured as "trusted" ports in a DHCP Snooping environment?
Correct Answer: C
Detailed Explanation: DHCP Snooping is a Layer 2 security feature on switches designed to prevent rogue DHCP servers from being introduced into the network and causing IP address assignment chaos and potential denial-of-service attacks. Understanding the concept of "trusted" and "untrusted" ports in DHCP Snooping is key to configuring it effectively. Option C accurately describes the ports that should be trusted. DHCP Snooping Fundamentals: Rogue DHCP Server Problem: In a network, only authorized DHCP servers should be providing IP addresses. A "rogue" or unauthorized DHCP server, if connected to the network, can start offering incorrect IP addresses, default gateways, DNS servers, etc., to DHCP clients. This can disrupt network connectivity, lead to man-in-the-middle attacks, and cause various network malfunctions. DHCP Snooping's Role: DHCP Snooping mitigates this risk by controlling where DHCP server messages (DHCP Offers, DHCP ACKs) are allowed to originate and be forwarded on the switch. It essentially creates a security boundary to isolate authorized DHCP servers. Trusted Ports: Trusted ports are switchports that are designated as connecting to legitimate, authorized DHCP servers. DHCP server messages (DHCP Offers, ACKs, etc.) are allowed to pass through trusted ports without restriction. Typically, ports connected to: Actual DHCP servers Uplink ports towards the network infrastructure where authorized DHCP servers reside Ports connected to other trusted network devices (like routers acting as DHCP relays) are configured as trusted. Untrusted Ports: Untrusted ports are all other switchports that are not configured as trusted. These ports are assumed to be connected to end-user devices (workstations, laptops, etc.) or potentially untrusted network segments. On untrusted ports, DHCP Snooping enforces the following behavior: DHCP Server Messages Blocked: DHCP server messages (DHCP Offers, ACKs, etc.) received on untrusted ports are dropped. This prevents rogue DHCP servers connected to untrusted ports from providing IP addresses to clients. DHCP Request Forwarding (Controlled): DHCP client messages (DHCP Discover, DHCP Request) received on untrusted ports are typically forwarded (but they are often tagged with VLAN information by DHCP Snooping, and may be rate-limited or subject to other policies). The DHCP requests are forwarded towards the trusted ports (where legitimate DHCP servers are expected). DHCP Snooping Database: DHCP Snooping often builds a database (DHCP Snooping binding table) that tracks valid DHCP bindings (MAC address, IP address, VLAN, port). This database can be used for further security and tracking purposes (e.g., IP source guard, DAI - Dynamic ARP Inspection). Why Option C is Correct: Ports to DHCP Servers Must be Trusted: For DHCP Snooping to function correctly, ports connected to authorized DHCP servers must be configured as trusted. This is the fundamental principle of DHCP Snooping – to allow DHCP server traffic from known, authorized sources and block it from unknown or potentially rogue sources. Why Other Options are Incorrect: A. Access ports connected to end-user workstations. Access ports connected to user workstations should be untrusted. User workstations are potential points where rogue DHCP servers could be introduced (intentionally or unintentionally). Making access ports trusted would defeat the purpose of DHCP Snooping because it would allow DHCP server messages from user ports, essentially disabling the rogue server protection on those ports. B. Trunk ports connecting to other switches in the same Layer 2 domain. Trunk ports connecting to other access switches should generally be untrusted as well, unless you have a very specific network design where you are absolutely sure no rogue DHCP servers can be connected downstream of those switches and those switches are securely managed. In many scenarios, trunk ports between access switches would be untrusted to enforce DHCP Snooping closer to the end-user access layer. However, trunk ports connecting to distribution or core layer switches that are part of the trusted network infrastructure and might have uplinks to DHCP servers or DHCP relay agents could be considered for trusted status (depending on the network architecture). Option B is too broad and generally incorrect in most standard DHCP Snooping deployments for access layer switches. D. All switchports in the VLAN where DHCP Snooping is enabled. Making all switchports in the VLAN trusted is incorrect and would completely disable DHCP Snooping's rogue server protection within that VLAN. DHCP Snooping relies on the distinction between trusted and untrusted ports. If all ports are trusted, all DHCP server messages would be allowed on all ports, effectively negating the security benefit of DHCP Snooping. In Conclusion: Option C is the only correct answer. In a DHCP Snooping environment, ports connected to legitimate DHCP servers must be configured as trusted. All other ports, especially access ports connected to end-user devices, should be configured as untrusted to enforce DHCP Snooping's rogue DHCP server prevention. Understanding the trusted/untrusted port concept is essential for properly configuring and deploying DHCP Snooping for network security. This question tests not just the definition of trusted ports but also the core security principle behind DHCP Snooping.
This CCNA practice question helps students prepare for Cisco networking certification exams by testing knowledge of network fundamentals, routing, switching, and network security concepts.