Which is the result of enabling IP Source Guard on an untrusted switch port that does not have
DHCP snooping enabled?
A.
DHCP requests will be switched in the software, which may result in lengthy response times.
B.
The switch will run out of ACL hardware resources.
C.
All DHCP requests will pass through the switch untested.
D.
The DHCP server reply will be dropped and the client will not be able to obtain an IP address.
Explanation:
DHCP snooping is a feature that provides network security by filtering untrusted DHCP messages
and by building and maintaining a DHCP snooping binding database. DHCP snooping acts like a
firewall between untrusted hosts and DHCP servers. DHCP snooping allows all DHCP messages
on trusted ports, but it lters DHCP messages on untrusted ports.
Cisco switches can use DHCP snooping feature to mitigate this type of attack. When DHCP
snooping is enabled, switch ports are classified as trusted or untrusted. Trusted ports are allowed
to send all types of DHCP messages while untrusted ports can send only DHCP requests. If a
DHCP reply is seen on an untrusted port, the port is shut down.
By default, if you enable IP source guard without any DHCP snooping bindings on the port, a
default port access-list (PACL) that denies all IP traffic expect the DHCP Request (DHCPDiscover) is installed on the port. Therefore the DHCP Server can hear the DHCP Request from
the Client but its reply is filtered by the switch and the client can’t obtain an IP address -> D is
correct.
Some useful information about DHCP snooping & IP Source Guard:
When enabled along with DHCP snooping, IP Source Guard checks both the source IP and
source MAC addresses against the DHCP snooping binding database (or a static IP source entry).
If the entries do not match, the frame is ltered. For example, assume that theshow ip dhcp
snooping binding command displays the following binding table entry:
MacAddress
IpAddress
LeaseSec
Type
VLAN
Interface
01:25:4A:5E:6D:25
10.0.0.20
6943
dhcp-snooping
2
FastEthernet0/1
If the switch receives an IP packet with an IP address of 10.0.0.20, IP Source Guard forwards the
packet only if the MAC address of the packet is 01:25:4A:5E:6D:25.