View all questions & answers for the NSE 5 - FortiSwitch 7.6 Administrator Exam Materials exam


Question 57 Discussion

Refer to the exhibits. You enable Dynamic Host Configuration Protocol (DHCP) snooping on the VLAN, Student. The Linux-Client VM sends DHCP requests, and tcpdump confirms the broadcasts. However, the Linux-Server VM, acting as a DHCP server, receives no DHCP traffic. What is the most likely cause of this intra-VLAN traffic being blocked? (Choose one answer)

  • A. The DHCP requests are being sent on the wrong VLAN.
  • B. Port1 is configured as an untrusted port.
  • C. Port4 is not configured as a trusted port.
  • D. The Student VLAN must be configured as an allowed VLAN on port1.
Correct Answer: C

Brave-Dump Clients Votes

B 50%
C 50%

Comments



javaughn Bryan 2025-12-18 18:04:50

Selected Answers: B


B is correct.

Option B is correct because the FortiSwitch configuration table explicitly shows that port1 is set to an untrusted state for DHCP snooping. In this specific network topology, the Linux-Server acting as the DHCP server is connected to port1. When DHCP snooping is enabled on a VLAN, the switch maintains security by only forwarding DHCP client requests to ports that have been explicitly configured as trusted. Because port1 is currently untrusted, the switch blocks the broadcast DHCP requests from reaching the server, which is why the tcpdump shows the requests leaving the client but the server receiving no traffic.

Explanation
Trust Logic: When DHCP snooping is enabled on a VLAN, the FortiSwitch distinguishes between trusted and untrusted ports.

Request Forwarding: To protect against rogue DHCP servers, a switch will only forward DHCP DISCOVER requests from clients to ports that are explicitly configured as trusted.

Port Configuration: The exhibit shows that Port1 (where the Linux-Server is connected) is set to Untrusted.

The Result: Because Port1 is untrusted, the switch drops or refuses to forward the broadcast DHCP requests from the client on Port4 to that port, preventing the server from ever seeing the traffic.

PAGE: 195 | FORTISWITCH 7.6 ADMIN GUIDE

John 2025-12-21 05:05:45

Selected Answers: C


Option C is Correct
Option B is incorrect. DHCP snooping does not block DHCP DISCOVER or REQUEST messages on untrusted ports; client ports are expected to be untrusted. DHCP snooping blocks DHCP OFFER and ACK messages originating from untrusted ports to prevent rogue DHCP servers. In this topology, the Linux-Server is connected to an untrusted port, so its DHCP replies are dropped. The correct cause is that the DHCP server port is not trusted, not that the client port is untrusted.
  • Justin Simard 2026-01-27 01:18:20
    You just explained why B is correct and C is incorrect.
  • Justin Simard 2026-01-27 01:18:30
    You just explained why B is correct and C is incorrect.