DHCP Snooping and MAC Address Filtering

Questions and Answers

What happens to DHCP messages received on an untrusted port and normally sent by a DHCP server?

They are filtered for MAC address consistency

They are forwarded to the client

They are checked against the DHCP Snooping binding table

They are discarded (correct)

Which type of DHCP messages are filtered based on MAC address consistency?

LEASE and DHCPACK messages

DISCOVER and REQUEST messages (correct)

INFORM and DHCPRELEASE messages

RELEASE and DECLINE messages

What happens when a DHCP message results in a lease?

The message is discarded

A new entry is added to the DHCP Snooping binding table (correct)

The message is forwarded to the client

The message is filtered for MAC address consistency

What type of ports do not filter DHCP messages?

Trusted ports

Why does the attacker send a DHCPOFFER message to PC1?

To initiate a DHCP attack

What happens to the packets sent by PC1 to the default gateway?

They are forwarded to R1 by the attacker

What is the purpose of the DHCP Snooping binding table?

To store IP address and MAC address bindings

What is the result of a DHCP attack on PC1?

The attacker can keep a copy of PC1's data

What is the main approach used by DAI to prevent ARP attacks?

Filtering ARP based on DHCP Snooping binding table

What is the purpose of ARP ACLs in DAI configuration?

To provide static IP and MAC address pairs for DAI

What is the purpose of DHCP Snooping binding table?

To keep a list of important facts about legitimate DHCP flows

What is the default setting for ports in DAI configuration?

Untrusted

What is a key consideration when configuring DAI on a Layer 2 switch?

Choosing the correct VLAN(s) to enable DAI

What happens when an attacker tries to lease all IP addresses in the subnet using a DHCP request?

The DHCP Snooping will filter out the request and prevent the overload

What is the primary function of DAI filtering?

To filter ARP based on DHCP Snooping binding table

What is the purpose of the chaddr field in a DHCP message?

To specify the client's hardware address

What is the purpose of the DHCP Snooping binding table in DAI configuration?

To provide data about earlier DHCP messages

What happens when a DHCP RELEASE message is received on a different port than the original DHCP request?

The DHCP Snooping will discard the RELEASE message and ignore the update

What is required to configure DHCP Snooping?

A pair of associated global commands to enable DHCP Snooping and list VLANs

What is a key benefit of using ARP ACLs in DAI configuration?

It becomes useful for ports connected to devices that use static IP addresses

What should be configured to trust on a Layer 2 switch when configuring DAI?

The port connected to the router

What is the purpose of configuring trusted ports in DHCP Snooping?

To allow only trusted ports to access the DHCP server

What is the result of an attacker attempting to lease all IP addresses in the subnet using a DHCP request?

No other hosts will be able to obtain a lease

What does DHCP Snooping check in a DHCP message to prevent MAC address spoofing?

The chaddr field and Ethernet source MAC address

Study Notes

DHCP Snooping and Dynamic ARP Inspection

• DHCP Snooping checks chaddr (client hardware address) and Ethernet Source MAC to prevent attacks.
• An attacker can attempt to lease all IP addresses in the subnet, overwhelming the DHCP server.
• DHCP Snooping builds a binding table for legitimate DHCP clients, listing important facts such as IP addresses and MAC addresses.

Binding Table

• The binding table is used by DHCP Snooping and Dynamic ARP Inspection to make decisions.
• The table lists important facts about legitimate DHCP clients, including IP addresses and MAC addresses.

DHCP Snooping Logic

• DHCP Snooping discards DHCP RELEASE messages if the incoming interface and IP address do not match the binding table entry.
• The process involves comparing the incoming message, interface, and matching table entry.

DHCP Snooping Configuration

• DHCP Snooping requires two global commands: one to enable DHCP Snooping and one to list the VLANs on which to use DHCP Snooping.
• Trusted ports must be configured for DHCP Snooping to operate.

Dynamic ARP Inspection

• DAI filtering is based on the DHCP Snooping binding table.
• DAI checks for source MAC addresses and confirms ARP correctness based on DHCP Snooping data.
• DAI can also use statically configured ARP ACLs for ports connected to devices with static IP addresses.

DAI Configuration

• Before configuring DAI, decisions must be made about using DHCP Snooping, ARP ACLs, or both.
• DHCP Snooping must be configured, and trusted ports must be selected.
• DAI must be enabled on select VLANs and ports.

Summary of Rules for DHCP Snooping

• DHCP messages received on untrusted ports from servers are discarded.
• DHCP messages received on untrusted ports from clients may be filtered if they appear to be part of an attack.
• DHCP messages received on trusted ports are forwarded without filtering.

Description

This quiz covers how DHCP snooping checks chaddr and Ethernet Source MAC to prevent attacks on DHCP servers. Learn how to filter DISCOVER messages based on MAC addresses and protect your network.