Which two actions do you suggest to fix this issue?

A university has hired you as a consultant to advise them on the best method to prevent DHCP starvation attacks in the campus. They have already implemented DHCP snooping and port security to control the situation but those do not fully contain the issue. Which two actions do you suggest to fix this issue? (Choose two.)
A. Use the ip dhcp snooping limit rate command on Trusted and Untrusted interfaces and set the rate to suitable values that are relevant to each interface respectively.
B. Use the ip dhcp snooping verify mac-address command to ensure that the source MAC address in the DHCP request matches the client hardware address (CHADDR) sent to the DHCP server
C. Use the ip dhcp snooping limit rate command only to ensure that the source MAC address in the DHCP request matches the client identifier (CUD) field sent to the DHCP server
D. Use the ip dhcp snooping limit rate command on trusted and untrusted interfaces set to the rate same value.

cisco-exams

4 thoughts on “Which two actions do you suggest to fix this issue?

  1. PA. Use the ip dhcp snooping vlan command on trusted and untrusted interfaces and set the rate to suitable
    values that are relevant to each interface respectively.
    PB. Use the ip dhcp snooping limit rate command on trusted and untrusted interfaces and set the rate to
    suitable values that are relevant to each interface respectively.
    PC. Use the ip dhcp snooping verify mac-address command to ensure that the source MAC address in the
    DHCP request matches the client hardware address (CHADDR) sent to the DHCP server.
    PD. Use the ip dhcp snooping limit rate command only on untrusted interfaces and set the rate to suitable
    values that are relevant to the interface.
    PE. Use the ip dhcp snooping limit rate command on trusted and untrusted interfaces set to the rate same
    value.
    PF. Use the ip dhcp snooping vlan command on trusted and untrusted VLANs and set the rate to suitable
    values that are relevant to each interface respectively.
    PG. Use the ip dhcp snooping verify mac-address command to ensure that the source MAC address in the
    DHCP request matches the client identifier (CLID) field sent to the DHCP server.

    Use the ip dhcp snooping limit rate command only on untrusted interfaces.
    I think PC and PD is correct.

    https://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf
    http://www.revolutionwifi.net/revolutionwifi/2011/03/preventing-dhcp-starvation-attacks.html
    https://packetpushers.net/ccnp-studies-configuring-dhcp-snooping/

    1. On a second thought I would go with Wilfred AB, as the “ip dhcp snooping verify mac-address” is a global command that verifies if source MAC (sent inside DHCP request) matches the Client HW Address. Rate limite cmd do not run any validation on addresses.

  2. In my opinion, the correct answers are “A” and “B”.
    The syntax of the “ip dhcp snooping limit rate” command has nothing to do with IP/MAC binding validation.
    https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/53SG/configuration/config/dhcp.html
    “Cisco recommends not configuring the untrusted interface rate limit to more than 100 packets per second. The recommended rate limit for each untrusted client is 15 packets per second. Normally, the rate limit applies to untrusted interfaces. If you want to set up rate limiting for trusted interfaces, keep in mind that trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit to a higher value. You should fine tune this threshold depending on the network configuration. The CPU should not receive DHCP packets at a sustained rate of more than 1,000 packets per second.”

    And here is a reference for the DHCP packet format. (The field (CHAddr) exists but “Client Identifier” doesn’t…):
    http://www.tcpipguide.com/free/t_DHCPMessageFormat.htm

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.