IP Source Guard Flashcards
What is IP source guard?
Similar to DAI but applied to all traffic, it ensures that packets sent from an interface must have a source IP that matches the switch’s table.
What happens when a host first connects to an ip source guard-enabled port?
All traffic besides DHCP packets are blocked. The switch will then map the received DHCP IP to that interface.
How does IP source guard enforce address binding?
With automatically-written VLAN ACLs.
What must be enabled for IP source guard to work?
DHCP snooping.
IP source guard is enabled at what level?
The interface level.
What interface-line command enables IP source guard?
“ip verify”
What additional options can be configured with IP source guard, and what do they do?
Port-security, verifies the source MAC address; smartlog, sends the offending frames to a remote server.
Can IP source guard entries be added statically?
Yes, with the “ip source binding” command.
What can hosts NOT do when IP source guard is enabled?
Static their IP address.
What does IP source guard do?
makes use of the DHCP snooping database and static ip source binding entries. If enabled, switch will test addresses
What 2 conditions does IP source guard check for?
source IP and MAC must match those addresses learned by DHCP snooping or a static entry
What is step 1 of enabling IP source guard?
configure and enable DHCP snooping
If you want IP source guard to detect spoofed MAC addresses, what must you do?
turn on port security
How do you configure IP source guard for hosts that don’t use DHCP?
by creating a static IP binding
When IP Source Guard with source IP filtering is enabled on an interface, which feature must be enabled on the access VLAN for that interface?
DHCP snooping