Which of the following commands enables IP source guard with source IP and MAC address filtering on an interface? (Select the best answer.)
A. ip dhcp snooping
B. ip verifyunicast source reachablevia
C. ip verify source portsecurity
D. ip source binding
E. switchport portsecurity
Explanation:
The ip verify source portsecurity command enables IP source guard with source IP and Media Access Control (MAC) address filtering on an interface; the ip verify sourcecommand enables IP source guard with only source IP address filtering. IP source guard prevents all IP traffic except the following packets:
– Dynamic Host Configuration Protocol (DHCP) packets allowed by DHCP snooping
– Traffic that matches entries in the IP source binding table
The IP source binding table is populated by static bindings or by DHCP snooping. If you enable IP source guard on a switch port but do not configure static IP bindings or DHCP snooping, all IP traffic will be dropped by the switch.
The ip dhcp snooping command does not enable IP source guard? it enables DHCP snooping. Enabling DHCP snooping with IP source guard helps to mitigate DHCP spoofing attacks. In a DHCP spoofing attack, an attacker installs a rogue DHCP server on the network in an attempt to intercept DHCP requests. The rogue DHCP server can then respond to the DHCP requests with its own IP address as the default gateway address? hence all traffic is routed through the rogue DHCP server. As a result, a host that has obtained an IP address from a rogue DHCP server could become the victim of a man-in-the-middle attack in which a malicious individual eavesdrops on a network conversation between two hosts.
The ip verify unicast source reachablevia command does not enable IP source guard? it enables unicast Reverse Path Forwarding (uRPF). Like IP source guard, uRPF can mitigate spoofing attacks. uRPF checks the source IP address of a packet to determine whether the packet arrived on the best path back to the source based on routing table information. If the IP address information is spoofed, the uRPF check will fail and the packet will be dropped. Cisco Express Forwarding (CEF) must be enabled in order for uRPF to work.
The ip source binding command does not enable IP source guard? it configures a static IP binding. The IP source binding table is populated by static IP bindings or by DHCP snooping. To configure a static IP binding, you should issue the ip source binding macaddress vlanvlanid ipaddress interface interfaceid command. The switchport portsecurity command does not enable IP sourceguard; it enables port security on a switch port. By default, the switchport portsecurity command authorizes a maximum of one MAC address to sendtraffic into the port.