A company’s security policy does not allow outside computers or smart phones into their work
areas. All company-provided computers are strictly controlled using 802.1X authentication on all of
their switches. All computers obtain DHCP IP addresses from centralized servers and all switches
have IP spoofing enabled. However, one of the computers was able to send IP spoofed packets.
Why did the IP spoof feature fail to prevent the spoofed packets from being forwarded?
A.
The IP source guard database timeout was set too low.
B.
The DHCP snooping feature was not enabled on any of the switches.
C.
IP source guard does not prevent IP spoof attacks; you need to configure the Dynamic ARP
Inspection feature.
D.
802.1X feature was not enabled on the port that was directly connected to the infected
computer.
Additional info:
prevent IP spoofing by enabling ip source guard, which intern need dhcp snooping enabled.
—
IP source guard obtains information about IP-address/MAC-address/VLAN bindings from the DHCP snooping database. It
causes the switch to validate incoming IP packets against the entries in that database. After the DHCP snooping database has
been populated either through dynamic DHCP snooping or through configuration of specific static IP address/MAC address
bindings, the IP source guard feature builds its database. It then checks incoming packets from access interfaces on the VLANs
on which it is enabled. If the source IP addresses and source MAC addresses match the IP source guard binding entries, the
switch forwards the packets to their specified destination addresses. If no matches are found, the switch discards the packets.
—-
0
0