IP Source Guard Flashcards

1
Q

What is IP source guard?

A

Similar to DAI but applied to all traffic, it ensures that packets sent from an interface must have a source IP that matches the switch’s table.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What happens when a host first connects to an ip source guard-enabled port?

A

All traffic besides DHCP packets are blocked. The switch will then map the received DHCP IP to that interface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does IP source guard enforce address binding?

A

With automatically-written VLAN ACLs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What must be enabled for IP source guard to work?

A

DHCP snooping.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

IP source guard is enabled at what level?

A

The interface level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What interface-line command enables IP source guard?

A

“ip verify”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What additional options can be configured with IP source guard, and what do they do?

A

Port-security, verifies the source MAC address; smartlog, sends the offending frames to a remote server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Can IP source guard entries be added statically?

A

Yes, with the “ip source binding” command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What can hosts NOT do when IP source guard is enabled?

A

Static their IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does IP source guard do?

A

makes use of the DHCP snooping database and static ip source binding entries. If enabled, switch will test addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What 2 conditions does IP source guard check for?

A

source IP and MAC must match those addresses learned by DHCP snooping or a static entry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is step 1 of enabling IP source guard?

A

configure and enable DHCP snooping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

If you want IP source guard to detect spoofed MAC addresses, what must you do?

A

turn on port security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How do you configure IP source guard for hosts that don’t use DHCP?

A

by creating a static IP binding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When IP Source Guard with source IP filtering is enabled on an interface, which feature must be enabled on the access VLAN for that interface?

A

DHCP snooping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What configuration command enables *IP Source Guard*?

A

Sw1(config-if)# ip verify source vlan dhcp-snooping

17
Q

What useful show command displays information about *IP Source Guard*?

A

Sw1# show ip verify source

18
Q

What is *IP Source Guard*?

A

IP Source Guard protects against malicious hosts from impersonating a legitimate host. This is used in conjunction with DHCP Snooping and static bindings to determine which port has what IPs.