11.3-4_Mitigate DHCP Attacks

Question 1

___ does not rely on source MAC addresses, instead it determines whether DHCP messages are from an administratively configured trusted or untrusted source. It then filters DHCP messages and rate-limits DHCP traffic from untrusted sources.

Answer 1

DHCP snooping

Question 2

Trusted interfaces are typically ___ and ports directly connected to a legitimate DHCP server.

Answer 2

trunk links

Question 3

Steps to Implement DHCP Snooping
Enable DHCP snooping by using the ip dhcp snooping global configuration command.

Answer 3

Step 1.

Question 4

Steps to Implement DHCP Snooping
On trusted ports, use the ip dhcp snooping trust interface configuration command.

Answer 4

Step 2

Question 5

Steps to Implement DHCP Snooping
Limit the number of DHCP discovery messages that can be received per second on untrusted ports by using the ip dhcp snooping limit rate interface configuration command.

Answer 5

Step 3

Question 6

Steps to Implement DHCP Snooping
Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp snooping vlan global configuration command.

Answer 6

Step 4

Question 7

Use the___ privileged EXEC command to verify DHCP snooping

Answer 7

show ip dhcp snooping

Question 8

use ___ to view the clients that have received DHCP information

Answer 8

show ip dhcp snooping binding

Question 9

The ___global configuration command is used to configure DAI to drop ARP packets when the IP addresses are invalid.

Answer 9

ip arp inspection validate {[src-mac] [dst-mac] [ip]}

Question 10

TRUE OR FALSE
It is alright to enter multiple ip arp inspection validate commands

Answer 10

FALSE
entering multiple ip arp inspection validate commands overwrites the previous command. To include more than one validation method, enter them on the same command line as shown and verified in the following output.