What command would be used to verify trusted DHCP ports?
A.
show mls qos
B.
show ip dhcp snooping
C.
show ip trust
D.
show ip arp trust
Explanation:
The command show ip dhcp snooping is used to verify trusted DHCP ports. This command is used to verify
which ports are intended to have DHCP servers connected to them.
DHCP snooping creates an IP address to MAC address database that is used by Dynamic ARP Inspection
(DAI) to validate ARP packets. It compares the MAC address and IP address in ARP packets, and only permits
the traffic if the addresses match. This eliminates attackers that are spoofing MAC addresses.
DHCP snooping is used to define ports as trusted for DHCP server connections. The purpose of DHCP
snooping is to mitigate DHCP spoofing attacks. DHCP snooping can be used to determine what ports are able
to send DHCP server packets, such as DHCPOFFER, DHCPACK, and DHCPNAK. DHCP snooping can also
cache the MAC address to IP address mapping for clients receiving DHCP addresses from a valid DHCP
server.
MLS QOS has no bearing on DHCP services, so show mls qos is not correct.
The other commands are incorrect because they have invalid syntax.
Objective:
Infrastructure Security
Sub-Objective:
Describe common access layer threat mitigation techniquesCisco > Cisco IOS IP Addressing Services Command Reference > DHCP Commands > show ip dhcp snooping