Home > IP Source Guard Questions

IP Source Guard Questions

November 16th, 2019 Go to comments

Question 1

Explanation

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html

Question 2

Question 3

Question 4

Question 5

Question 6

Comments

John2020

January 22nd, 2020

Q:5 Both B and C look correct

refer to following links :

https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/n5k/commands/show-ip-dhcp-snooping-binding.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.pdf

Please provide help?
FB

January 28th, 2020

Q5 – Answer is C & D

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/ip_source_guard.html#48175
suntzu

February 15th, 2020

@Burìk
November 1st, 2019
Q2
A is wrong, answer is E.

BPDUguard makes so that when an interface receives a BPDU that interface goes into err-disable mode, so that you can’t just go to a wall plug and plug a rogue switch in or any other device that will allow you to execute a man-in-the-middle attack. The following command globally activates BPDU Guard on all interfaces with Portfast enabled, so the “campus-wide” requirement is also fullfilled:
(config)#spanning-tree portfast bpduguard

That’s only for switches, not laptops or whatever else.

No trackbacks yet.

DHCP Snooping 3 Dynamic ARP Inspection DAI

IP Source Guard Questions

Premium Membership

ENSDWI Training

ENSDWI 300-415 v1.2

ENSDWI 300-415 (expired)

Network Resources