A virtualization host running Windows Server 2022 was relocated to a different rack switch during weekend maintenance. After it powers on, the administrator runs ipconfig /all and sees these values:
IP address : 10.10.10.25/24 Default gateway : 10.20.20.1 DHCP server : 10.20.20.2
Other servers on VLAN 10 are still receiving gateway 10.10.10.1 from the authorized DHCP server at 10.10.10.2. A packet capture on the switch port shows the DHCP OFFER that supplied the wrong information came from a consumer-grade Wi-Fi router someone connected to an open wall jack.
Which switch feature, when properly configured, would BEST keep clients on VLAN 10 from accepting DHCP information sent by this unauthorized device?
Disable PortFast on all access ports so each port must complete full spanning-tree convergence before forwarding traffic.
Configure Link Aggregation Control Protocol (LACP) on the server's teamed NICs.
Enable DHCP snooping on VLAN 10 and mark only the uplink to the authorized DHCP server as a trusted port.
Increase the access-port MTU so the switch supports jumbo frames.
DHCP snooping allows a switch to classify interfaces as either trusted (uplinks to legitimate DHCP servers or relay agents) or untrusted (access ports). The switch inspects DHCP traffic and drops any DHCP-OFFER or ACK frames that arrive on untrusted ports, effectively blocking rogue or misconfigured DHCP servers from handing out bad IP, gateway, or DNS information.
The other options do not address the problem:
LACP simply aggregates links and has no impact on which DHCP server clients use.
Increasing MTU to support jumbo frames changes frame size, not DHCP behavior.
Disabling PortFast lengthens STP convergence but still allows rogue DHCP offers once the port is forwarding.
Therefore, enabling DHCP snooping with the authorized server's uplink marked as a trusted interface is the most effective preventive measure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DHCP snooping and how does it work?
Open an interactive chat with Bash
How does a rogue DHCP server cause network issues?
Open an interactive chat with Bash
What other security features can prevent unauthorized devices on a switch?