DHCP Snooping

C

DHCP snooping is a security feature that can be implemented on switches to prevent unauthorized DHCP servers from providing IP addresses to clients on the network. It also helps to prevent rogue DHCP servers, which can be a security threat to the network. DHCP snooping works by intercepting DHCP packets and verifying their contents against a DHCP snooping database.

The correct statement about DHCP snooping is C. It blocks traffic from DHCP servers on untrusted interfaces.

Explanation of each option: A. DHCP snooping can only be configured on switches, not routers. It is a layer 2 security feature that operates at the access layer of the network. B. DHCP snooping uses DHCPDiscover packets to identify DHCP servers. However, it does not use these packets to identify servers. Instead, it uses a DHCP snooping database that contains information about authorized DHCP servers on the network. C. DHCP snooping blocks traffic from DHCP servers on untrusted interfaces. An interface is considered untrusted if it is not configured as a trusted interface. When a DHCP server is connected to an untrusted interface, DHCP snooping blocks DHCP packets from that server to prevent it from providing IP addresses to clients on the network. D. DHCP snooping only allows packets from trusted ports if their source MAC address is found in the binding table. If a packet is received on an untrusted interface, DHCP snooping will drop the packet by default, regardless of the source MAC address. Only packets from trusted ports that match the MAC address in the binding table are allowed through.

In conclusion, DHCP snooping is a useful security feature that can be used to protect against rogue DHCP servers. It can be configured on switches, and it blocks traffic from DHCP servers on untrusted interfaces.