When an engineer is configuring DHCP snooping, which configuration parameter is enabled by default?

– by 1

When an engineer is configuring DHCP snooping, which configuration parameter is enabled by default?
A. DHCP snooping host tracking feature
B. DHCP snooping MAC address verification
C. DHCP snooping relay agent
D. DHCP snooping information option-82

cisco-exams

One thought on “When an engineer is configuring DHCP snooping, which configuration parameter is enabled by default?

  1. Hi, this is another f**king question, cause default settings differ between IOS families (IOS / IOS XE / NX-OS)!

    Defaults for IOS 15.2 (c2960 and IOSv):
    ==================================

    MAC address verification – ENABLED by default:
    ———————————————————————
    „Defaults: The switch verifies the source MAC address in a DHCP packet that is received on untrusted ports matches the client hardware address in the packet.“ – if it they don’t match, device drops the packet
    https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-2_2_e/command/reference/cr_2960/cli1.html#marker-11898639

    DHCP option 82 – ENABLED by default:
    ——————————————————-
    “Defaults: DHCP option-82 data is inserted.”
    https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-2_2_e/command/reference/cr_2960/cli1.html#marker-11898300

    This is also TRUE for IOSv – my test in GNS3:
    Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(4.0.55)

    SW1# show ip dhcp snooping

    Switch DHCP snooping is disabled
    Switch DHCP gleaning is disabled
    DHCP snooping is configured on following VLANs: none
    DHCP snooping is operational on following VLANs: none
    DHCP snooping is configured on the following L3 Interfaces:
    Insertion of option 82 is enabled <<<============= HERE
    circuit-id default format: vlan-mod-port
    remote-id: 0c68.ba7b.1a00 (MAC)
    Option 82 on untrusted port is not allowed
    Verification of hwaddr field is enabled <<<========= HERE
    Verification of giaddr field is enabled

    BUT settings are DIFFERENT for NX-OS and IOS XE:
    =========================================
    – screenshot in the original answer to this question comes from NX-OS reference (applies also to IOS XE – see links below):
    DHCP snooping MAC address verification – Enabled <==== (same as Catalyst)
    DHCP snooping option-82 support – Disabled <==== (different! – ENABLED on Catalyst)

    NX-OS:
    https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_dhcpsnoop.html#wp1300305

    IOS XE:
    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i2.html#wp2385990450

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.