Questions: DHCP Relay Agents and DHCP Snooping Security
5 questions to test your understanding
Score: 0 / 5
Question 1 Multiple Choice
An attacker on an enterprise network plugs a rogue device into a switch port and configures it to respond to DHCP Discover messages with a fake default gateway. DHCP snooping is enabled. What happens to the attacker's DHCP Offer messages?
AThey are forwarded normally because DHCP snooping only filters requests, not responses
BThey are dropped by the switch because DHCP server messages (Offer/Ack) are only permitted on trusted ports
CThey succeed unless Dynamic ARP Inspection is also enabled
DThey are rate-limited but not dropped, reducing the attack's effectiveness
DHCP snooping classifies switch ports as trusted (connected to legitimate DHCP servers or uplinks) or untrusted (connected to end hosts). It permits DHCP server-originated messages (Offer, Ack, Nak) only on trusted ports and drops them on untrusted ports. Since the attacker's rogue device is connected to an untrusted access port, its Offer messages are silently discarded. The legitimate DHCP server on a trusted uplink is unaffected. This is the primary security value of DHCP snooping.
Question 2 Multiple Choice
A router interface connecting to a remote subnet is configured as a DHCP relay agent. What does the relay add to the DHCP Discover message before forwarding it, and why is this information essential?
AThe client's resolved hostname, so the DHCP server can create a DNS record for the new lease
BA lease time preference, so the server knows how long the client wants the address
CThe relay's own interface IP address in the giaddr field, so the server knows which subnet to allocate from
DThe client's broadcast flag, converted to unicast so the server can respond directly
The DHCP server uses the giaddr (gateway IP address) field to determine which address pool to draw from. Without giaddr, the server cannot distinguish a request from subnet 10.1.1.0/24 from one originating on 192.168.5.0/24. The relay inserts its own interface IP — one that belongs to the client's subnet — giving the server a topological anchor. This is why each relay interface must have an IP address on the subnet it serves. The relay then forwards the server's response back to the appropriate subnet.
Question 3 True / False
A DHCP relay agent is transparent to the client — from the client's perspective, it appears as though a DHCP server is directly reachable on the local subnet.
TTrue
FFalse
Answer: True
The relay intercepts the client's broadcast Discover, converts it to a unicast message to the remote DHCP server, and forwards the server's response back to the client's subnet (usually re-broadcast). The client sees a normal DORA exchange and has no visibility into the relay operation. This transparency is intentional — it allows enterprise networks to centralize DHCP management without requiring clients to know about relay agents or remote servers.
Question 4 True / False
DHCP snooping and port security serve the same function, so enabling both is redundant for switch-level access control.
TTrue
FFalse
Answer: False
They are complementary, not redundant. Port security limits which MAC addresses can send frames on a port (preventing MAC flooding and unauthorized device connections). DHCP snooping prevents rogue DHCP servers and builds an IP-MAC-port binding database. These binding tables then feed into Dynamic ARP Inspection (DAI), which prevents ARP spoofing, and IP Source Guard, which prevents IP address spoofing. Each mechanism targets a different attack vector; together they form a layered access-layer security model.
Question 5 Short Answer
How does the DHCP snooping binding database enable security features beyond DHCP itself, and what specific attacks do those dependent features prevent?
Think about your answer, then reveal below.
Model answer: The binding database maps each client's MAC address, assigned IP address, lease time, VLAN, and switch port. Dynamic ARP Inspection (DAI) uses this database to validate ARP messages: it drops ARP replies where the claimed IP-MAC mapping contradicts the binding table, preventing ARP spoofing and man-in-the-middle attacks. IP Source Guard uses the same database to drop IP packets from hosts using IP addresses not matching their binding entry, preventing IP address spoofing. Without the binding database created by snooping, neither DAI nor IP Source Guard has a ground-truth reference to check against.
The binding database is the shared foundation of access-layer security. DHCP snooping creates it; DAI and IP Source Guard consume it. This layered design means an attacker who bypasses DHCP (e.g., statically configures an IP) is caught by IP Source Guard; one who forges ARP is caught by DAI. All three features must be deployed together for comprehensive protection.