The Cisco Nexus 1000V Series Switches are virtual machine access switches that are an intelligent software switch implementation for VMware vSphere environments running the Cisco NX-OS Software operating system. Together with the VMware ESX hypervisor, the Nexus 1000V supports Cisco VN-Link server virtualization technology, which provides mobile virtual machine security and network policy for VMware View components, including the DHCP snooping feature. DHCP snooping is disabled on the Nexus 1000V by default.
When the DHCP snooping feature is enabled on the Nexus 1000V, what are the default trust settings for the vEthernet and uplink ports?
A. All vEthernet ports are trusted, and all Ethernet ports such as uplinks and port channels are trusted.
B. All vEthernet ports are not trusted, and all Ethernet ports such as uplinks and port channels are not trusted.
C. All vEthernet ports are trusted and all Ethernet ports such as uplinks and port channels are not trusted.
D. All vEthernet ports are not trusted and all Ethernet ports such as uplinks and port channels are trusted.
Correct Answer: D
Explanation/Reference:
Explanation:
DHCP snooping identifies ports as trusted or untrusted. When you enable DHCP snooping, by default all vEthernet ports are untrusted and all ethernet ports (uplinks), port channels, special vEthernet ports (used by other features, such as VSD, for their operation) are trusted.You can configure whether DHCP trusts traffic sources.
In an enterprise network, a trusted source is a device that is under your administrative control. Any device beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.
In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.
In the Cisco Nexus 1000V, you indicate that a source is trusted by configuring the trust state of its connecting interface. Uplink ports, as defined with the uplink capability on port profiles, are trusted and cannot be configured to be untrusted. This restriction prevents the uplink from being shut down for not conforming to rate limits or DHCP responses.
You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network or if the administrator is running the DHCP server in a VM. You usually do not configure host port interfaces as trusted.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_4/security/configuration/guide/n1000v_security/n1000v_security_12dhcpsnoop.html (trusted and untrusted sources)
