IP Source Guard

Question 1

What is IP source guard?

Answer 1

Similar to DAI but applied to all traffic, it ensures that packets sent from an interface must have a source IP that matches the switch’s table.

Question 2

What happens when a host first connects to an ip source guard-enabled port?

Answer 2

All traffic besides DHCP packets are blocked. The switch will then map the received DHCP IP to that interface.

Question 3

How does IP source guard enforce address binding?

Answer 3

With automatically-written VLAN ACLs.

Question 4

What must be enabled for IP source guard to work?

Answer 4

DHCP snooping.

Question 5

IP source guard is enabled at what level?

Answer 5

The interface level.

Question 6

What interface-line command enables IP source guard?

Answer 6

“ip verify”

Question 7

What additional options can be configured with IP source guard, and what do they do?

Answer 7

Port-security, verifies the source MAC address; smartlog, sends the offending frames to a remote server.

Question 8

Can IP source guard entries be added statically?

Answer 8

Yes, with the “ip source binding” command.

Question 9

What can hosts NOT do when IP source guard is enabled?

Answer 9

Static their IP address.