An attacker is launching a DoS attack on the Company network using a hacking tool
designed to exhaust the IP address space available from the DHCP servers for a period of
time. Which procedure would best defend against this type of attack?

A.
Configure only trusted interfaces with root guard.

B.
Implement private VLANs (PVLANs) to carry only user traffic.

C.
Implement private VLANs (PVLANs) to carry only DHCP traffic.

D.
Configure only untrusted interfaces with root guard.

E.
Configure DHCP spoofing on all ports that connect untrusted clients.

F.
Configure DHCP snooping only on ports that connect trusted DHCP servers.

G.
None of the other alternatives apply

Explanation:
Cisco Catalyst switches can use the DHCP snooping feature to help mitigate this type of
attack. When DHCP snooping is enabled, switch ports are categorized as trusted or
untrusted. Legitimate DHCP servers can be found on trusted ports, whereas all other hosts
sit behind untrusted ports.
By default, all switch ports are assumed to be untrusted so that DHCP replies are not
expected or permitted. Only trusted ports are allowed to send DHCP replies. Therefore, you
should identify only the ports where known, trusted DHCP servers are located. You can do
this with the following interface configuration command:
Switch(config-if)#ip dhcp snooping trust