Exam 350-701 topic 1 question 622 discussion

D is correct an ACL will not do anything on the same VLAN

Since a rogue DHCP server has assigned an IP address to a device (MAC: 04:66:96:79:0:AB), the administrator must block DHCP replies from unauthorized sources using an ACL to only allow traffic from the trusted DHCP server. ❌ A. Apply DHCP option 82 to identify the trusted DHCP server. Option 82 (DHCP Relay Agent Information) is used for tracking clients, not blocking rogue DHCP servers. ❌ B. Configure each device manually to use the authorized DHCP server. Manually assigning DHCP servers on all clients is not scalable and defeats the purpose of automated DHCP. ❌ D. Implement DHCP option 82 to relay DHCP requests to the trusted server. Option 82 does not block rogue servers, it only helps track DHCP request origins.

It can be that DHCP Option 82 allows the DHCP server to receive additional information about the requesting device, such as its MAC address, VLAN ID, and other relevant attributes. And it make it easy to find the rouge DHCP server if the scenario is looking for the rouge

Answer c

With the DHCP option-82 on untrusted port feature enabled, the switch does not drop DHCP packets that include option-82 information that are received on untrusted ports. https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html#wp1109594

An access list is not the right tool for this purpose, but it is closer to it than option 82. Setting the DHCP server manually is not really practical. The purpose of dynamic IP assignment is to avoid cumbersome manual IP settings on each client.

I think this is about a rouge DHCP server sending a DHCP reply to a DHCP client. Could someone explain to me please, how would the option 82 prevent that? I think that option 82 is rather for verifying if the client is legitimate for receiving a reply, and can also be used for assigning an IP based on the client information (provided by the switch).