Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CCNA > Chapter 37 - DHCP Snooping and ARP Inspection > Flashcards

Chapter 37 - DHCP Snooping and ARP Inspection Flashcards

1
Q

What is DHCP Snooping?

A
  • A security measure used to recognise DHCP messages that fall outside of the normal use of DHCP and could be part of an attack and discard them.
  • Also builds a table that details legitimate DHCP flows that other switch features can use to determine if DHCP traffic is legitimate or not.
  • Usually implemented on switches and operates at Layer 2. Unlike DHCP which operates at Layer 3.
  • Only filters DHCP messages, all other messages are unaffected.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is DAI?

A
  • Dynamic ARP Inspection
  • Examines incoming ARP messages on untrusted ports to filter those it believes to be part of an attack. Messages received on Trusted ports are not inspected.
  • Compares incoming ARP messages on Untrusted ports against the DHCP Snooping binding table and any configured ARP ACLs. If they don’t match, the message is discarded
  • Only filters ARP messages. Other
    messages are unaffected
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the rules used by DHCP Snooping on Trusted and Untrusted ports?

A
  • DHCP messages received on an untrusted port normally sent by a server (Offer and ACK) will always be discarded
  • DHCP messages received on an untrusted port normally sent by a client (Discover, Request, Decline, Release) may be filtered if they seem to be part of an attack:
    - For Discover and Request messages check for source MAC address consistency between the Ethernet
    frame and the DHCP message chaddr
    - For Release and Decline messages check the incoming interface and source IP address versus the DHCP
    Snooping binding table
  • DHCP messages received on a trusted port will be forwarded as trusted ports do not filter any DHCP messages
  • Where messages aren’t filtered and result in a DHCP lease, build a new entry in the DHCP Snooping binding table.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a Spurious DHCP server (DHCP Poisoning)?

A
  • A form of attack where an attacker makes itsself a DHCP server so that it can hand out bad DHCP offers.
  • For example, it could set itsself as the default gateway so any legitimate traffic being sent to the internet will be sent to it. Known as a Man in the Middle attack.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is chaddr?

A
  • Client Hardware Address
  • Includes the sender’s MAC address
  • Used when filtering Discover messages since the source MAC of the frame should match the chaddr of the DHCP message it encapsulates. If it didn’t do this then an attacker could spoof the MAC address in the chaddr and lease all IPs in a pool from a single device.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the DHCP Snooping binding table?

A
  • A table of all DHCP flows that are allowed to complete upto getting a lease.
  • Stores information such as the MAC address, IP address, VLAN, and interface of a lease which it uses to check for malicious traffic.
  • An example of this is if an attacker wanted to Release a legitimate user’s IP address, they would need to share all of the same details in the DHCP Snooping binding table of that device (e.g. same interface).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What commands do you use to enable DHCP snooping?

A
  • ‘ip dhcp snooping’ - Enables DHCP snooping
    ‘ip dhcp snooping <vlan>' - Tells the switch which VLAN to use DHCP snooping on</vlan>
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What command do you use to change an interface from untrusted to trusted in DHCP Snooping?

A

‘ip dhcp snooping trust’ from interface config mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What command can you use to find trusted DHCP snooping interfaces?

A

‘show ip dhcp snooping’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does the ‘ip dhcp snooping information option’ do?

A
  • Allows DHCP relay agents to insert new fields into DHCP requests
  • Enables DHCP Option 82 (DHCP relay agent information option)
  • Provides additional information about which DHCP relay agent received the client’s message
  • If the router does not act as a dhcp relay agent then this can stop DHCP from working as normal since Cisco switches drop DHCP messages with Option 82 that are received on an untrusted port so it is best to disable this in this scenario.
  • Enabled by default when DHCP snooping is enabled
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What commands can you use to cause a switch interface to automatically recover from being put into an err-disable state when caused by DHCP rate limiting?

A

‘errdisable recovery cause dhcp-rate-limit’
‘errdisable recovery interval <time>'</time>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What command can you use to enable DHCP rate limiting?

A

‘ip dhcp snooping limit rate <number>' in interface config mode</number>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

True or False. interfaces are Untrusted by default when DHCP Snooping is enabled.

A

True.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

True or False. DHCP rate limiting can be enabled on only Trusted interfaces.

A

False. Can be enabled on both Trusted and Untrusted interfaces.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is DHCP rate limiting?

A
  • An optional feature of DHCP snooping
  • Stops attackers from flooding the switch with DHCP messages and overloading the CPU so that they can bypass DHCP Snooping to enact other attacks.
  • It tracks the number of DHCP messages so that if they exceed the limit over a one second period the interface is put into an err-disable state.
  • Can be useful in avoiding DHCP Exhaustion attacks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Gratuitous ARP (GARP)?

A
  • An ARP reply
  • Sent without first having received an ARP request
  • Sent to Ethernet broadcast address so that all hosts in the subnet receive the message
  • Can be used for malicious purposes
15
Q

What is the default DHCP Snooping rate limit?

A

There isn’t one

16
Q

How can Gratuitous ARP be used for malicious purposes?

A
  • ARP Poisoning
  • An attacker could send a message to advise all users to update its ARP table so that the IP address of a legitimate user corresponds to the attacker’s MAC address
  • This will mean that any traffic sent to the legitimate user will be sent to the attacker instead
  • The attacker could then also just copy the traffic and forward it to the legitimate user so that the legitimate user continues to function and isn’t suspicious
17
Q

What comparisons can DAI use to determine if an ARP message should be discarded?

A
  • Checks the DHCP Snooping table to see if there is an entry that matches the IP and MAC pair in the ARP message
  • Checks the source MAC address of the layer 2 header against that of the source MAC in the ARP message itsself
  • Checks the destination MAC address of the layer 2 header against that of the destination MAC in the ARP message itsselfR
18
Q

True or False. Interfaces are Trusted by default when DAI is enabled.

A

False. They are Untrusted.

19
Q

True or False. It is best practice to have DAI and DHCP Snooping interfaces in the same state (Trusted/Untrusted)

A

True.

20
Q

True or False. It is best practice to have access ports as Trusted and ports to DHCP servers as Untrusted.

A

False. It’s the other way round.

21
Q

What command should you use to enable DAI?

A

‘ip arp inspection <vlan>'</vlan>

22
Q

What command do you use to change an interface from untrusted to trusted in DAI?

A

‘ip arp inspection trust’ from interface config mode

23
Q

What command can you use to find statistics about DAI on a device?

A

‘show ip arp inspection’

24
Q

What is the default DAI rate limit?

A

15 packets per second

25
Q

What are differences between DHCP rate limiting and ARP rate limiting?

A
  • DHCP Snooping does not have a rate limit by default but DAI does
  • DAI allows the configuration of a burst interval so that it can allow a certain amount of messages over a determined amount of time.
26
Q

What commands can you use to cause a switch interface to automatically recover from being put into an err-disable state when caused by ARP rate limiting?

A

‘errdisable recovery cause arp-inspection’
‘errdisable recovery interval <time>'</time>

27
Q

What command can you use to enable ARP rate limiting?

A

‘ip arp inspection limit rate <number>' in interface config mode</number>

28
Q

What command would you use to add an ARP burst limit?

A

‘ip arp inspection limit rate <number> burst interval <number>' in interface config mode</number></number>

29
Q

What other additional checks can DAI use when inspecting ARP messages? What are the commands?

A

The optional other validation steps a switch can take are:
- ‘ip arp inspection validate dst-mac’ - Validates the destination MAC of the frame against the target MAC address in the ARP message. If these are different the packet is dropped.
- ‘ip arp inspection validate ip’ - Validates the sender IP address in ARP requests and responses against the target IP address in only ARP responses. If these are different the packet is dropped.
- ‘ip arp inspection validate src-mac’ - Validates the source MAC in the frame against the sender MAC address in the ARP message. If these are different the packet is dropped.

  • You can enable all or a subset of these checks but they have to be enabled all in one command. If they are enabled in different commands then the latest one will overwrite the previous.
30
Q

What is DHCP Starvation?

A
  • A form of attack in which a device sends DHCP messages to a server with multiple spoofed MAC addresses meaning that a lease is given for each of those MACs.
  • This fills up the DHCP lease table and causing a DoS for legitimate users.
  • DHCP Snooping fixes this by checking the source MAC of the frame against the chaddr of the DHCP message
31
Q

What is a DHCP NAK message?

A
  • The opposite of an Ack
  • Sent by a server to decline a clients Request message
32
Q

What messages are sent by clients and what messages are sent by servers?

A

Servers:
- Offer
- Ack
- NAK

Clients:
- Discover
- Request
- Decline
- Release

33
Q

What command can you use to view the DHCP Snooping binding table of a device?

A

‘show ip dhcp snooping binding’

34
Q

What information is stored in the DHCP Snooping binding table?

A
  • MAC address
  • IP address
  • Lease time
  • Type
  • VLAN
  • Interface the entry was discovered on
35
Q

True or False. DAI rate limiting is enabled on Trusted and Untrusted ports by default

A

False. It is only enabled on Untrusted ports by default.

36
Q

In DAI, what is checked first. ARP ACLs or DHCP Snooping Binding Table?

A

ARP ACLs. If an ARP ACL blocks a frame it will not be checked in the DHCP Snooping Binding Table.

37
Q

If DHCP Snooping and ARP ACLs have not been configured, what will happen to ARP frames that enter an untrusted port.

A

They have nothing to compare to so they will all be dropped. Trusted ports will accept ARP as normal

CCNA (50 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions