A switch has DHCP snooping enabled globally, but clients on an access port still receive rogue DHCP offers from an unauthorized device on another access port.
Which additional action should be verified first?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
Verify that the client-facing access ports are trusted.
Client-facing access ports should normally be untrusted, not trusted.
Verify that the uplink toward the legitimate DHCP server is trusted.
Correct. The legitimate server or uplink must be trusted, while rogue client ports stay untrusted.
Disable Option 82 insertion.
Option 82 is not the first thing to check for rogue offers in this scenario.
Enable BPDU Guard on the uplink.
BPDU Guard is unrelated to DHCP snooping trust behavior.
Common exam trap
A frequent exam trap is to assume that enabling DHCP snooping globally automatically protects the network from rogue DHCP servers. Candidates may overlook the necessity of configuring the uplink port toward the legitimate DHCP server as trusted. Without this, DHCP server replies from the authorized server are blocked, while rogue DHCP offers from other untrusted ports may still reach clients. This misconfiguration leads to clients receiving incorrect IP addresses, defeating the purpose of DHCP snooping. The trap lies in confusing global enablement with complete protection, ignoring the critical trust assignment step.
Technical deep dive
DHCP snooping is a security feature on Cisco switches that filters untrusted DHCP messages to prevent rogue DHCP servers from assigning incorrect IP addresses to clients. It classifies switch ports as trusted or untrusted; trusted ports can send DHCP server messages, while untrusted ports can only send DHCP client messages. This mechanism protects the network by ensuring only authorized DHCP servers respond to client requests. When DHCP snooping is enabled globally, the correct operation depends on properly configuring port trust states. Typically, access ports connected to clients remain untrusted to block rogue DHCP offers. The uplink port toward the legitimate DHCP server must be explicitly configured as trusted to allow DHCP server replies to pass through. If the uplink is not trusted, DHCP server messages are dropped, but if a rogue DHCP server is connected to an untrusted access port, its offers may still reach clients if trust settings are misconfigured. A common exam trap is assuming that enabling DHCP snooping globally is sufficient to block rogue DHCP servers. However, if the uplink port to the legitimate DHCP server is not trusted, the switch may inadvertently allow rogue DHCP offers from other untrusted ports. This misconfiguration leads to clients receiving incorrect IP information. Understanding the trust model and verifying uplink trust status is critical for securing DHCP services in Cisco networks.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practise DHCP scopes, relay, leases and troubleshooting.
Practise routing-table output, longest-prefix match, AD and route selection.
Practise trunk verification and VLAN forwarding across switches.
Practise WLAN security, authentication and wireless architecture concepts.
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
DHCP snooping classifies switch ports as trusted or untrusted to control which ports can send DHCP server messages.
The correct answer is: Verify that the uplink toward the legitimate DHCP server is trusted. — With DHCP snooping, only trusted ports should be allowed to send server replies. Access ports facing clients should remain untrusted.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.