Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:03,149 --> 00:00:06,720 This is a free, complete course for the CCNA. 2 00:00:06,719 --> 00:00:10,288 If you like these videos, please subscribe\n 3 00:00:10,288 --> 00:00:15,028 Also, please like and leave a comment, and\n 4 00:00:18,010 --> 00:00:21,419 In this video we will talk about DHCP snooping. 5 00:00:21,419 --> 00:00:26,800 DHCP snooping is a security feature available\n 6 00:00:26,800 --> 00:00:30,000 attacks which take advantage of DHCP. 7 00:00:30,000 --> 00:00:35,850 DHCP snooping is covered in exam topic 5.7,\n 8 00:00:35,850 --> 00:00:43,489 layer 2 security features including DHCP snooping,\n 9 00:00:43,488 --> 00:00:48,149 We already covered port security, and dynamic\n 10 00:00:48,149 --> 00:00:51,920 But for this video, let’s focus on DHCP\nsnooping. 11 00:00:51,920 --> 00:00:54,559 Here’s what we’ll cover in this video. 12 00:00:54,558 --> 00:00:59,338 Basically, it will be similar in structure\n 13 00:00:59,338 --> 00:01:05,250 I’ll introduce what DHCP snooping is, how\n 14 00:01:05,250 --> 00:01:08,430 to configure it on Cisco switches. 15 00:01:08,430 --> 00:01:12,280 And make sure to watch until the end of the\n 16 00:01:12,280 --> 00:01:17,849 Software’s ExSim for CCNA, my recommended\n 17 00:01:17,849 --> 00:01:22,739 Okay, let’s take a look at the basics of\nDHCP snooping. 18 00:01:22,739 --> 00:01:28,390 DHCP snooping is a security feature of switches\n 19 00:01:30,189 --> 00:01:34,280 I’ll tell you more about untrusted ports\nin a minute. 20 00:01:34,280 --> 00:01:38,219 Note that DHCP snooping only filters DHCP\nmessages. 21 00:01:38,219 --> 00:01:41,890 Any other non-DHCP messages aren’t affected. 22 00:01:41,890 --> 00:01:43,890 All ports are untrusted by default. 23 00:01:43,890 --> 00:01:48,030 It’s then up to you to configure which ports\nwill be trusted. 24 00:01:48,030 --> 00:01:54,299 Usually, uplink ports are configured as trusted\n 25 00:01:54,299 --> 00:01:56,719 I’ll use this diagram to explain. 26 00:01:56,719 --> 00:02:02,500 So, R1 is either a DHCP server or a DHCP relay\nagent. 27 00:02:02,500 --> 00:02:08,689 The end hosts, the PCs, will use DHCP to receive\n 28 00:02:08,689 --> 00:02:13,740 The downlink ports on the switches, the interfaces\n 29 00:02:15,310 --> 00:02:19,098 The network admin doesn’t have direct control\n 30 00:02:19,098 --> 00:02:24,810 A malicious user could initiate a DHCP-based\n 31 00:02:24,810 --> 00:02:28,479 best to leave these ports in the default untrusted\nstate. 32 00:02:28,479 --> 00:02:32,280 So, which interfaces are downlink ports? 33 00:02:32,280 --> 00:02:35,919 These ones, because they point toward the\nend hosts. 34 00:02:35,919 --> 00:02:40,628 However the uplink ports point toward the\n 35 00:02:42,939 --> 00:02:48,120 We can be pretty sure, for example, that R1\n 36 00:02:49,120 --> 00:02:53,379 So, we can configure these interfaces as trusted\nports. 37 00:02:53,378 --> 00:02:58,598 DHCP snooping won’t inspect any messages\n 38 00:03:00,049 --> 00:03:03,510 So, which ports are uplink ports? 39 00:03:03,509 --> 00:03:08,449 These ones, because they point away from the\n 40 00:03:08,449 --> 00:03:13,268 DHCP snooping won’t inspect DHCP messages\non these ports. 41 00:03:13,269 --> 00:03:18,150 Now let’s look at an example of DHCP snooping. 42 00:03:18,150 --> 00:03:23,060 PC1 sends a DHCP message, for example a DISCOVER\nmessage. 43 00:03:23,060 --> 00:03:29,259 SW1 receives the message on an untrusted port,\n 44 00:03:30,259 --> 00:03:34,688 It determines that the message is fine, so\n 45 00:03:34,688 --> 00:03:38,739 Then SW2 receives it, again on an untrusted\ninterface. 46 00:03:38,739 --> 00:03:43,450 It checks the message and determines that\n 47 00:03:43,449 --> 00:03:49,358 R1 then sends the reply, and it goes straight\n 48 00:03:50,359 --> 00:03:53,909 Why don’t the switches inspect the message\nfrom R1? 49 00:03:53,908 --> 00:03:59,120 It’s because they received it on their trusted\n 50 00:04:03,329 --> 00:04:06,489 This time PC2 sends a DHCP message. 51 00:04:06,489 --> 00:04:10,759 SW1 receives it on an untrusted port, so it\n 52 00:04:10,759 --> 00:04:16,108 However, this time it determines that the\n 53 00:04:16,108 --> 00:04:21,189 Later in this video I’ll go over exactly\n 54 00:04:21,189 --> 00:04:25,360 is OK or not, so I won’t get into the details\nnow. 55 00:04:25,360 --> 00:04:31,199 But perhaps the user of PC2 was trying to\n 56 00:04:32,620 --> 00:04:38,639 Okay, next let’s look at a couple examples\n 57 00:04:41,509 --> 00:04:46,889 First up, let’s quickly review a type of\n 58 00:04:46,889 --> 00:04:50,469 also called DHCP exhaustion, attack. 59 00:04:50,470 --> 00:04:56,520 In this attack, an attacker uses spoofed MAC\n 60 00:04:56,519 --> 00:04:58,709 And what’s the purpose of that? 61 00:04:58,709 --> 00:05:03,599 The target server’s DHCP pool becomes full,\n 62 00:05:04,930 --> 00:05:08,410 They won’t be able to get an IP address\nfrom the server. 63 00:05:08,410 --> 00:05:11,100 You already know this by now, but here’s\na review. 64 00:05:11,100 --> 00:05:16,500 The attacker sends DHCP discover messages\n 65 00:05:16,500 --> 00:05:22,089 Now, something I didn’t mention before is\n 66 00:05:22,089 --> 00:05:29,250 message, written as CHADDR, which stands for\n 67 00:05:31,149 --> 00:05:34,969 Why is this field needed, when the server\n 68 00:05:35,970 --> 00:05:41,490 Well, in a network like this where the DHCP\n 69 00:05:42,930 --> 00:05:48,750 But if the DHCP server is in a remote network\n 70 00:05:48,750 --> 00:05:53,800 relay agent, when the server receives the\n 71 00:05:53,800 --> 00:05:56,840 of the frame will not be the client’s MAC\naddress. 72 00:05:56,839 --> 00:06:01,879 So, that’s why the client hardware address\n 73 00:06:04,579 --> 00:06:08,769 The attacker sends countless fake DHCP Discover\n 74 00:06:08,769 --> 00:06:14,659 Then, when the other devices in the network\n 75 00:06:14,660 --> 00:06:21,650 is not able to assign them addresses, resulting\n 76 00:06:21,649 --> 00:06:25,669 And here’s one more example of a DHCP-based\nattack. 77 00:06:25,670 --> 00:06:31,150 Similar to ARP poisoning, DHCP poisoning can\n 78 00:06:31,149 --> 00:06:38,199 A spurious DHCP server, that just mean an\n 79 00:06:38,199 --> 00:06:42,000 DHCP Discover messages and assigns them IP\naddresses. 80 00:06:42,000 --> 00:06:46,589 But it makes the clients use the spurious\n 81 00:06:47,589 --> 00:06:54,289 So, in the network below the attacker is running\n 82 00:06:55,290 --> 00:07:00,480 R1 is the legitimate DHCP server, and also\nthe default gateway. 83 00:07:00,480 --> 00:07:05,330 Both of these DHCP servers will respond to\n 84 00:07:05,329 --> 00:07:08,609 usually accept the first Offer message they\nreceive. 85 00:07:08,610 --> 00:07:13,310 Now, in a situation like this it’s hard\n 86 00:07:13,310 --> 00:07:17,430 clients first, the attacker’s Offer or R1’s\nOffer. 87 00:07:17,430 --> 00:07:23,019 But, if the legitimate DHCP server is actually\n 88 00:07:23,019 --> 00:07:28,259 as a DHCP relay agent, then it’s almost\n 89 00:07:28,259 --> 00:07:31,769 reach the clients first, because it’s in\nthe local network. 90 00:07:31,769 --> 00:07:33,859 No need to forward traffic to a remote network. 91 00:07:33,860 --> 00:07:39,360 So, if the clients use the attacker as their\n 92 00:07:39,360 --> 00:07:44,990 networks they will send traffic to the attacker\n 93 00:07:44,990 --> 00:07:49,750 The attacker can then examine and/or modify\n 94 00:07:50,750 --> 00:07:53,149 Let’s walk through that process. 95 00:07:53,149 --> 00:07:59,199 PC1 sends a DHCP Discover message and it is\n 96 00:08:00,800 --> 00:08:05,520 So, both the attacker and R1 send Offer messages\nfor PC1. 97 00:08:05,519 --> 00:08:10,579 However, in this case the attacker’s Offer\nreaches PC1 first. 98 00:08:10,579 --> 00:08:15,639 Because it arrives first, PC1 will choose\n 99 00:08:15,639 --> 00:08:19,259 So, PC1 will send a DECLINE message to R1. 100 00:08:19,259 --> 00:08:24,230 I haven’t introduced this message type yet,\n 101 00:08:24,230 --> 00:08:33,240 However, with the attacker it completes the\n 102 00:08:33,240 --> 00:08:39,370 address, 172.16.1.10, and its default gateway\n 103 00:08:39,370 --> 00:08:45,659 So, if PC1 wants to send traffic to an external\n 104 00:08:45,659 --> 00:08:47,909 send the traffic to the attacker. 105 00:08:47,909 --> 00:08:52,179 The attacker can then examine the traffic\n 106 00:08:52,179 --> 00:08:57,870 it to the legitimate default gateway, which\n 107 00:08:57,870 --> 00:09:02,578 Because the traffic does reach its destination,\n 108 00:09:02,578 --> 00:09:06,239 traffic is being intercepted by the attacker. 109 00:09:06,240 --> 00:09:13,310 So those were two examples of DHCP-based attacks\n 110 00:09:15,559 --> 00:09:19,708 Now let’s continue looking at DHCP snooping\nitself. 111 00:09:19,708 --> 00:09:26,429 Let’s review the DHCP message types you\n 112 00:09:26,429 --> 00:09:33,670 When DHCP snooping filters messages, it differentiates\n 113 00:09:34,870 --> 00:09:41,039 DHCP server messages received on an untrusted\n 114 00:09:42,039 --> 00:09:47,278 DHCP client messages will be inspected, and\n 115 00:09:49,059 --> 00:09:53,289 So, here are messages sent by DHCP servers. 116 00:09:53,289 --> 00:09:59,230 OFFER and ACK you already know, they are used\n 117 00:09:59,230 --> 00:10:05,589 NAK is a new one, it’s the opposite of ACK\n 118 00:10:07,240 --> 00:10:10,480 And here are messages sent by DHCP clients. 119 00:10:10,480 --> 00:10:16,420 You already know DISCOVER and REQUEST, again\n 120 00:10:16,419 --> 00:10:21,078 RELEASE you already know too, I introduced\nit in the DHCP video. 121 00:10:21,078 --> 00:10:27,708 But for review, it’s used to tell the server\n 122 00:10:27,708 --> 00:10:30,539 And then there’s DECLINE, which I just showed\nearlier. 123 00:10:30,539 --> 00:10:35,708 It’s used to decline the IP address offered\nby a DHCP server. 124 00:10:35,708 --> 00:10:40,729 Make sure you learn which messages are sent\n 125 00:10:41,730 --> 00:10:45,089 It’s an important part of understanding\nDHCP snooping. 126 00:10:45,089 --> 00:10:50,579 Next, I’ll give you an outline of DHCP snooping\noperations. 127 00:10:50,578 --> 00:10:55,078 By that I mean, how it works to filter DHCP\nmessages. 128 00:10:55,078 --> 00:11:00,528 First of all, if a DHCP message is received\n 129 00:11:01,899 --> 00:11:04,828 Messages received on trusted ports won’t\nbe dropped. 130 00:11:04,828 --> 00:11:11,799 But, if a DHCP message is received on an untrusted\n 131 00:11:11,799 --> 00:11:16,120 First, if it’s a DHCP server message, discard\nit. 132 00:11:16,120 --> 00:11:21,720 DHCP servers should not be connected to untrusted\n 133 00:11:21,720 --> 00:11:27,600 So, any OFFER, ACK, or NAK messages that are\n 134 00:11:28,970 --> 00:11:36,110 However, if the message is a DHCP client message,\n 135 00:11:37,568 --> 00:11:41,328 So, these checks depend on what kind of message\nit is. 136 00:11:41,328 --> 00:11:47,649 First, for DISCOVER and REQUEST messages,\n 137 00:11:47,649 --> 00:11:53,028 if the frame’s source MAC address and the\n 138 00:11:54,179 --> 00:11:56,368 If they match, forward the frame. 139 00:11:58,720 --> 00:12:03,459 This can protect against attacks when an attacker\n 140 00:12:05,778 --> 00:12:09,730 However it’s not perfect, because the attacker\n 141 00:12:11,350 --> 00:12:17,550 Then, for RELEASE and DECLINE messages, check\n 142 00:12:17,549 --> 00:12:23,609 interface receiving the message match the\n 143 00:12:23,610 --> 00:12:25,800 If they match, forward the message. 144 00:12:27,399 --> 00:12:31,619 I haven’t mentioned the DHCP snooping binding\ntable yet. 145 00:12:31,619 --> 00:12:37,110 When DHCP snooping is enabled, the switch\n 146 00:12:37,110 --> 00:12:43,009 binding table when a client successfully leases\n 147 00:12:43,009 --> 00:12:47,230 Let’s take a look at that in the next slide. 148 00:12:47,230 --> 00:12:50,639 So let’s go over some basic DHCP snooping\nconfigurations. 149 00:12:50,639 --> 00:12:55,709 First, on SW2 I used IP DHCP SNOOPING. 150 00:12:55,708 --> 00:12:59,328 This enables DHCP snooping on the switch,\nbut it’s not enough. 151 00:12:59,328 --> 00:13:06,508 I then used IP DHCP SNOOPING VLAN 1 to tell\n 152 00:13:06,509 --> 00:13:12,949 So, you need to enable DHCP snooping globally,\n 153 00:13:12,948 --> 00:13:17,409 on each VLAN necessary, with IP DHCP SNOOPING\nVLAN. 154 00:13:17,409 --> 00:13:23,448 So, I enabled it for VLAN 1 because that’s\n 155 00:13:23,448 --> 00:13:27,278 Then I used NO IP DHCP SNOOPING INFORMATION\nOPTION. 156 00:13:27,278 --> 00:13:30,639 I’m going to explain this later, so we’ll\nskip it for now. 157 00:13:30,639 --> 00:13:35,799 It’s not always necessary, but depending\n 158 00:13:35,799 --> 00:13:41,659 Finally, I configure the G0/0 interface as\na trusted port. 159 00:13:41,659 --> 00:13:46,558 As I said before, by default all ports will\n 160 00:13:49,678 --> 00:13:56,078 G0/0 is connected to R1, which is the DHCP\n 161 00:13:59,299 --> 00:14:02,349 Then I did the exact same configurations on\nSW1. 162 00:14:02,350 --> 00:14:09,129 I configured SW1’s G0/0 as trusted, because\n 163 00:14:11,289 --> 00:14:18,578 Then I checked the DHCP snooping binding table\n 164 00:14:18,578 --> 00:14:25,638 As you can see, PC1, PC2, and PC3 were able\n 165 00:14:25,639 --> 00:14:33,068 This table logs their MAC addresses, IP addresses,\n 166 00:14:33,068 --> 00:14:37,889 As I mentioned in the previous slide, RELEASE\n 167 00:14:37,889 --> 00:14:44,539 sure their IP address and interface ID match\n 168 00:14:44,539 --> 00:14:48,629 This prevents attackers from sending these\n 169 00:14:48,629 --> 00:14:53,629 network, causing the DHCP server to believe\n 170 00:14:54,869 --> 00:15:00,730 Okay, next up another function of DHCP snooping,\n 171 00:15:00,730 --> 00:15:07,740 DHCP snooping can limit the rate at which\n 172 00:15:07,740 --> 00:15:12,850 If the rate of DHCP messages crosses the configured\n 173 00:15:12,850 --> 00:15:18,970 Then, similar to port security, the interface\n 174 00:15:18,970 --> 00:15:24,139 then NO SHUTDOWN, or automatically re-enabled\n 175 00:15:24,139 --> 00:15:27,499 Here’s how to configure DHCP rate limiting. 176 00:15:27,499 --> 00:15:36,600 I configured it on SW1’s G0/1, 2, and 3\n 177 00:15:36,600 --> 00:15:40,199 This limits DHCP messages to 1 per second. 178 00:15:40,198 --> 00:15:45,649 If the interface receives more than 1 DHCP\n 179 00:15:45,649 --> 00:15:48,720 Now, this is too low for a real network. 180 00:15:48,720 --> 00:15:53,649 If you set the limit to 1 DHCP message per\n 181 00:15:53,649 --> 00:15:57,769 get disabled even by legitimate DHCP exchanges. 182 00:15:57,769 --> 00:16:04,058 But, I set it to 1 so I could easily make\n 183 00:16:05,570 --> 00:16:11,089 These log messages show that G0/1 received\n 184 00:16:12,419 --> 00:16:19,058 So, we could manually re-enable it, but let’s\n 185 00:16:19,058 --> 00:16:25,688 Here’s how to enable errdisable recovery\nfor DHCP rate limiting. 186 00:16:25,688 --> 00:16:30,099 ERRDISABLE RECOVERY CAUSE DHCP-RATE-LIMIT. 187 00:16:30,100 --> 00:16:35,449 I then checked SHOW ERRDISABLE RECOVERY, and\n 188 00:16:39,039 --> 00:16:44,708 Also notice at the bottom that G0/1 is waiting\n 189 00:16:44,708 --> 00:16:49,299 So, what’s the purpose of rate-limiting\nDHCP messages? 190 00:16:49,299 --> 00:16:54,769 Well, it can be very useful to protect against\n 191 00:16:54,769 --> 00:17:00,818 Remember, attackers can spoof both the frame’s\n 192 00:17:00,818 --> 00:17:06,818 client hardware address field to bypass the\n 193 00:17:07,818 --> 00:17:13,119 But, with rate limiting we can prevent them\n 194 00:17:13,119 --> 00:17:16,798 of illegitimate DHCP DISCOVER messages. 195 00:17:16,798 --> 00:17:21,119 If the attacker tries to flood the server\n 196 00:17:22,709 --> 00:17:26,740 So, this is a very useful function of DHCP\nSnooping. 197 00:17:26,740 --> 00:17:33,620 Okay, let’s go over that command that I\n 198 00:17:35,359 --> 00:17:39,149 First, what is the information option? 199 00:17:39,150 --> 00:17:47,380 Option 82, also known as the DHCP relay agent\n 200 00:17:47,380 --> 00:17:52,720 In the DHCP video of this course I mentioned\n 201 00:17:57,950 --> 00:18:03,480 Option 82 provides additional information\n 202 00:18:03,480 --> 00:18:08,079 client’s message, on which interface, in\nwhich VLAN, etc. 203 00:18:08,079 --> 00:18:15,658 DHCP relay agents can add Option 82 to messages\n 204 00:18:15,659 --> 00:18:22,570 With DHCP snooping enabled, by default Cisco\n 205 00:18:22,569 --> 00:18:28,740 they receive from clients, even if the switch\n 206 00:18:32,130 --> 00:18:37,909 By default, Cisco switches will drop DHCP\n 207 00:18:41,558 --> 00:18:48,829 PC1 sends a DISCOVER message, and SW1 forwards\n 208 00:18:48,829 --> 00:18:53,319 Because SW2 receives it on an untrusted port,\n 209 00:18:53,319 --> 00:18:57,829 You can see the syslog message here, indicating\n 210 00:18:59,240 --> 00:19:05,140 So, the default settings work well if the\n 211 00:19:05,140 --> 00:19:09,399 relay agent, but in a network like this one\nit won’t work. 212 00:19:09,398 --> 00:19:16,189 So, that’s why I used this command I showed\n 213 00:19:18,538 --> 00:19:23,819 PC1 sends a DISCOVER message, and SW1 forwards\nit to SW2. 214 00:19:23,819 --> 00:19:26,619 This time it doesn’t add Option 82. 215 00:19:26,619 --> 00:19:31,459 But let’s assume that I haven’t used the\n 216 00:19:33,538 --> 00:19:38,490 So SW2 will add Option 82 and forward it to\nR1. 217 00:19:38,490 --> 00:19:40,880 This will cause R1 to drop it. 218 00:19:40,880 --> 00:19:43,640 You can see R1’s log messages below. 219 00:19:43,640 --> 00:19:49,070 Basically, it means that R1 dropped the message\n 220 00:19:50,849 --> 00:19:55,949 That’s what ‘inconsistent relay information’\n 221 00:19:55,950 --> 00:20:01,620 If a DHCP message wasn’t sent by a relay\n 222 00:20:01,619 --> 00:20:06,138 So, I added the command to SW2 also. 223 00:20:06,138 --> 00:20:11,579 This time, neither SW1 or SW2 will add option\n 224 00:20:11,579 --> 00:20:15,589 So, R1 trusts the message and responds as\nnormal. 225 00:20:15,589 --> 00:20:21,319 I’m not sure if you’ll get any questions\n 226 00:20:21,319 --> 00:20:26,399 good to know about because it can cause problems\n 227 00:20:27,898 --> 00:20:33,048 Okay, here’s a review of the new commands\n 228 00:20:33,048 --> 00:20:39,509 If you don’t remember any of these commands,\n 229 00:20:39,509 --> 00:20:43,220 Before moving on to the quiz, let’s review\n 230 00:20:43,220 --> 00:20:46,649 I first introduced what DHCP snooping is. 231 00:20:46,648 --> 00:20:52,729 It’s a security feature of switches that\n 232 00:20:52,730 --> 00:20:57,649 It works by inspecting DHCP messages that\n 233 00:21:00,288 --> 00:21:05,940 It can also control the rate at which DHCP\n 234 00:21:05,940 --> 00:21:11,269 It can prevent attacks like DHCP exhaustion\nand DHCP poisoning. 235 00:21:11,269 --> 00:21:16,039 We also looked at how to configure DHCP snooping\n 236 00:21:16,039 --> 00:21:20,859 Remember to enable it globally, enable it\n 237 00:21:23,839 --> 00:21:30,538 Also keep option 82 in mind, you may need\n 238 00:21:32,720 --> 00:21:37,890 As always, watch until the end of the quiz\n 239 00:21:37,890 --> 00:21:41,570 ExSim, my recommended practice exams for the\nCCNA. 240 00:21:41,569 --> 00:21:46,960 Okay, let’s go to question 1 of the quiz. 241 00:21:46,960 --> 00:21:52,110 Which of the following DHCP message types\n 242 00:21:52,109 --> 00:21:54,129 DHCP snooping untrusted interface? 243 00:21:54,130 --> 00:22:03,470 (select three) Okay, pause the video now to\n 244 00:22:09,429 --> 00:22:15,659 These DHCP message types will always be discarded\n 245 00:22:15,659 --> 00:22:17,429 because they are sent from DHCP servers. 246 00:22:17,429 --> 00:22:22,900 DHCP servers should not be connected to untrusted\ninterfaces. 247 00:22:27,089 --> 00:22:32,079 Which of the following is NOT stored in the\n 248 00:22:32,079 --> 00:22:36,058 Pause the video now to select the correct\nanswer. 249 00:22:36,058 --> 00:22:41,339 Okay, the answer is D, default gateway. 250 00:22:41,339 --> 00:22:45,689 Here you can see what the DHCP snooping binding\n 251 00:22:45,690 --> 00:22:48,110 The default gateway is not displayed. 252 00:22:48,109 --> 00:22:52,928 Okay, let’s go to question 3. 253 00:22:52,929 --> 00:22:56,120 Which of the following are functions of DHCP\nsnooping? 254 00:22:56,119 --> 00:23:02,268 (select two) Pause the video now to select\nthe best answers. 255 00:23:02,269 --> 00:23:10,808 Okay, the answers are A, limiting the rate\n 256 00:23:13,069 --> 00:23:19,089 DHCP snooping won’t filter messages on trusted\n 257 00:23:20,089 --> 00:23:23,269 It will only filter those that are received\non untrusted ports. 258 00:23:23,269 --> 00:23:27,569 Okay, let’s go to question 4. 259 00:23:27,569 --> 00:23:33,789 When DHCP snooping inspects a DHCP DISCOVER\n 260 00:23:34,808 --> 00:23:41,980 (select the two best answers) Pause the video\n 261 00:23:41,980 --> 00:23:50,650 Okay, the answers are A, source MAC address,\n 262 00:23:50,650 --> 00:23:56,000 Source MAC address refers to the source MAC\n 263 00:23:56,000 --> 00:23:59,919 address is a field in the DHCP message itself. 264 00:23:59,919 --> 00:24:03,850 If the two match, DHCP snooping permits the\nmessage. 265 00:24:03,849 --> 00:24:06,000 If they don’t match, the message will be\ndiscarded. 266 00:24:09,919 --> 00:24:16,509 DHCP snooping rate-limiting is configured\n 267 00:24:16,509 --> 00:24:21,920 What happens if DHCP messages are received\n 268 00:24:23,079 --> 00:24:29,720 Pause the video now to select the best answer. 269 00:24:29,720 --> 00:24:33,120 The answer is B, the interface will be disabled. 270 00:24:33,119 --> 00:24:37,869 To re-enable it, you can either SHUTDOWN and\n 271 00:24:37,869 --> 00:24:41,898 configure errdisable recovery for the dhcp-rate-limit\ncause. 272 00:24:41,898 --> 00:24:45,168 Okay, that’s all for the quiz. 273 00:24:45,169 --> 00:25:05,549 Now let’s take a look at a bonus question\n 22654