IP Source Guard Implementation Guide
Question
Which two statements about IP Source Guard are true? (Choose two.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.AC.
IP Source Guard is a security feature that helps prevent IP spoofing attacks on a network. It is typically implemented on switches or routers and can limit IP traffic on an interface to only those sources that have an IP-MAC address binding table entry or static IP source entry. Here are the two true statements about IP Source Guard:
A. IP Source Guard limits IP traffic on an interface to only those sources that have an IP-MAC address binding table entry or static IP source entry.
This statement is true. When IP Source Guard is enabled on an interface, it will only allow IP traffic from sources that have a valid IP-MAC address binding table entry or a static IP source entry. This helps prevent IP spoofing attacks, as it ensures that only legitimate hosts can send IP traffic on the network.
E. IP Source Guard is independent of DHCP snooping to build and maintain the IP-MAC address binding table.
This statement is also true. IP Source Guard can use the IP-MAC address binding table to limit IP traffic, but it is not dependent on DHCP snooping to build or maintain the table. IP Source Guard can build the binding table based on DHCP snooping, static entries, or a combination of both. Once the binding table is built, IP Source Guard can use it to filter IP traffic on the interface.
B, C, and D are false statements:
B. By default, IP Source Guard is enabled on all interfaces.
This statement is false. IP Source Guard is not enabled by default on all interfaces. It must be configured and enabled on each interface individually.
C. When you first enable IP Source Guard on an interface, you may experience disruption in IP traffic, until the hosts on the interface receive a new IP address from a DHCP server.
This statement is false. Enabling IP Source Guard should not cause disruption in IP traffic. However, if the interface is configured to use DHCP, it may take some time for the hosts to receive a new IP address from the DHCP server and for the binding table to be updated.
D. IP Source Guard requires that DHCP snooping is disabled.
This statement is false. IP Source Guard can work with DHCP snooping to build and maintain the IP-MAC address binding table. However, it is not dependent on DHCP snooping and can also use static entries to build the table.
