DHCP Filtering Quiz and Flashcards

Podcast Beta

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What happens to DHCP messages received on an untrusted port and normally sent by a DHCP server?

They are filtered for MAC address consistency

They are forwarded to the client

They are checked against the DHCP Snooping binding table

They are discarded (correct)

Which type of DHCP messages are filtered based on MAC address consistency?

LEASE and DHCPACK messages

DISCOVER and REQUEST messages (correct)

INFORM and DHCPRELEASE messages

RELEASE and DECLINE messages

What happens when a DHCP message results in a lease?

The message is discarded

A new entry is added to the DHCP Snooping binding table (correct)

The message is forwarded to the client

The message is filtered for MAC address consistency

What type of ports do not filter DHCP messages?

Trusted ports Signup and view all the answers

Why does the attacker send a DHCPOFFER message to PC1?

To initiate a DHCP attack Signup and view all the answers

What happens to the packets sent by PC1 to the default gateway?

They are forwarded to R1 by the attacker Signup and view all the answers

What is the purpose of the DHCP Snooping binding table?

To store IP address and MAC address bindings Signup and view all the answers

What is the result of a DHCP attack on PC1?

The attacker can keep a copy of PC1's data Signup and view all the answers

What is the main approach used by DAI to prevent ARP attacks?

Filtering ARP based on DHCP Snooping binding table Signup and view all the answers

What is the purpose of ARP ACLs in DAI configuration?

To provide static IP and MAC address pairs for DAI Signup and view all the answers

What is the purpose of DHCP Snooping binding table?

To keep a list of important facts about legitimate DHCP flows Signup and view all the answers

What is the default setting for ports in DAI configuration?

Untrusted Signup and view all the answers

What is a key consideration when configuring DAI on a Layer 2 switch?

Choosing the correct VLAN(s) to enable DAI Signup and view all the answers

What happens when an attacker tries to lease all IP addresses in the subnet using a DHCP request?

The DHCP Snooping will filter out the request and prevent the overload Signup and view all the answers

What is the primary function of DAI filtering?

To filter ARP based on DHCP Snooping binding table Signup and view all the answers

What is the purpose of the chaddr field in a DHCP message?

To specify the client's hardware address Signup and view all the answers

What is the purpose of the DHCP Snooping binding table in DAI configuration?

To provide data about earlier DHCP messages Signup and view all the answers

What happens when a DHCP RELEASE message is received on a different port than the original DHCP request?

The DHCP Snooping will discard the RELEASE message and ignore the update Signup and view all the answers

What is required to configure DHCP Snooping?

A pair of associated global commands to enable DHCP Snooping and list VLANs Signup and view all the answers

What is a key benefit of using ARP ACLs in DAI configuration?

It becomes useful for ports connected to devices that use static IP addresses Signup and view all the answers

What should be configured to trust on a Layer 2 switch when configuring DAI?

The port connected to the router Signup and view all the answers

What is the purpose of configuring trusted ports in DHCP Snooping?

To allow only trusted ports to access the DHCP server Signup and view all the answers

What is the result of an attacker attempting to lease all IP addresses in the subnet using a DHCP request?

No other hosts will be able to obtain a lease Signup and view all the answers

What does DHCP Snooping check in a DHCP message to prevent MAC address spoofing?

The chaddr field and Ethernet source MAC address Signup and view all the answers

Study Notes

DHCP Snooping and Dynamic ARP Inspection

DHCP Snooping checks chaddr (client hardware address) and Ethernet Source MAC to prevent attacks.
An attacker can attempt to lease all IP addresses in the subnet, overwhelming the DHCP server.
DHCP Snooping builds a binding table for legitimate DHCP clients, listing important facts such as IP addresses and MAC addresses.

Binding Table

The binding table is used by DHCP Snooping and Dynamic ARP Inspection to make decisions.
The table lists important facts about legitimate DHCP clients, including IP addresses and MAC addresses.

DHCP Snooping Logic

DHCP Snooping discards DHCP RELEASE messages if the incoming interface and IP address do not match the binding table entry.
The process involves comparing the incoming message, interface, and matching table entry.

DHCP Snooping Configuration

DHCP Snooping requires two global commands: one to enable DHCP Snooping and one to list the VLANs on which to use DHCP Snooping.
Trusted ports must be configured for DHCP Snooping to operate.

Dynamic ARP Inspection

DAI filtering is based on the DHCP Snooping binding table.
DAI checks for source MAC addresses and confirms ARP correctness based on DHCP Snooping data.
DAI can also use statically configured ARP ACLs for ports connected to devices with static IP addresses.

DAI Configuration

Before configuring DAI, decisions must be made about using DHCP Snooping, ARP ACLs, or both.
DHCP Snooping must be configured, and trusted ports must be selected.
DAI must be enabled on select VLANs and ports.

Summary of Rules for DHCP Snooping

DHCP messages received on untrusted ports from servers are discarded.
DHCP messages received on untrusted ports from clients may be filtered if they appear to be part of an attack.
DHCP messages received on trusted ports are forwarded without filtering.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Description

This quiz covers how DHCP snooping checks chaddr and Ethernet Source MAC to prevent attacks on DHCP servers. Learn how to filter DISCOVER messages based on MAC addresses and protect your network.