Home » Cisco » 300-206 » When an engineer is configuring DHCP snooping, which configuration parameter is enabled by default?
When an engineer is configuring DHCP snooping, which configuration parameter is enabled by default?
A. DHCP snooping host tracking feature
B. DHCP snooping MAC address verification
C. DHCP snooping relay agent
D. DHCP snooping information option-82
Correct Answer: B
Explanation/Reference:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_dhcpsnoop.html
Hi, this is another f**king question, cause default settings differ between IOS families (IOS / IOS XE / NX-OS)!
Defaults for IOS 15.2 (c2960 and IOSv):
==================================
MAC address verification – ENABLED by default:
———————————————————————
„Defaults: The switch verifies the source MAC address in a DHCP packet that is received on untrusted ports matches the client hardware address in the packet.“ – if it they don’t match, device drops the packet
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-2_2_e/command/reference/cr_2960/cli1.html#marker-11898639
DHCP option 82 – ENABLED by default:
——————————————————-
“Defaults: DHCP option-82 data is inserted.”
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-2_2_e/command/reference/cr_2960/cli1.html#marker-11898300
This is also TRUE for IOSv – my test in GNS3:
Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(4.0.55)
SW1# show ip dhcp snooping
Switch DHCP snooping is disabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs: none
DHCP snooping is operational on following VLANs: none
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled <<<============= HERE
circuit-id default format: vlan-mod-port
remote-id: 0c68.ba7b.1a00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled <<<========= HERE
Verification of giaddr field is enabled
BUT settings are DIFFERENT for NX-OS and IOS XE:
=========================================
– screenshot in the original answer to this question comes from NX-OS reference (applies also to IOS XE – see links below):
DHCP snooping MAC address verification – Enabled <==== (same as Catalyst)
DHCP snooping option-82 support – Disabled <==== (different! – ENABLED on Catalyst)
NX-OS:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_dhcpsnoop.html#wp1300305
IOS XE:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i2.html#wp2385990450