PrepAway - Latest Free Exam Questions & Answers

Which two statements about this Layer 3 security configuration example are true?

Refer to the exhibit.

Which two statements about this Layer 3 security configuration example are true? (Choose two.)

PrepAway - Latest Free Exam Questions & Answers

A.
Static IP source binding can be configured only on a routed port.

B.
Source IP and MAC filtering on VLANs 10 and 11 will occur.

C.
DHCP snooping will be enabled automatically on the access VLANs.

D.
IP Source Guard is enabled.

E.
The switch will drop the configured MAC and IP address source bindings and forward all other
traffic.

Explanation:
Cisco Catalyst switches can use the IP source guard feature to detect and suppress address
spoofing attacks—even if they occur within the same subnet. IP source guard does this by making
use of the DHCP snooping database, as well as static IP source binding entries. If DHCP
snooping is configured and enabled, the switch learns the MAC and IP addresses of hosts that

use DHCP. Packets arriving on a switch port can be tested for one of the following conditions:
• The source IP address must be identical to the IP address learned by DHCP snooping or a static
entry. A dynamic port ACL is used to filter traffic. The switch automatically creates this ACL, adds
the learned source IP address to the ACL, and applies the ACL to the interface where the address
is learned.
• The source MAC address must be identical to the MAC address learned on the switch port and
by DHCP snooping. Port security is used to filter traffic.
For the hosts that don’t use DHCP, you can configure a static IP source binding with the following
configuration command:
Switch(config)#ip source binding mac-address vlan vlan-id ip-address interface type mod/num
Here, the host’s MAC address is bound to a specific VLAN and IP address, and is expected to be
found on a specific switch interface. Next, enable IP source guard on one or more switch
interfaces with the following configuration commands:
Switch(config)#interface type mod/num
Switch(config-if)#ip verify source [port-security]
The ip verify source command will inspect the source IP address only. You can add the portsecurity keyword to inspect the source MAC address, too.
Reference:
CCNP BCMSN Official Exam Certification Guide, Fourth Edition, Chapter 15: Securing Switch
Access, IP Source Guard, p 397


Leave a Reply