Home > IP Source Guard Questions

IP Source Guard Questions

November 16th, 2019 in SWITCH 300-115 Go to comments

Question 1

Explanation

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html

Question 2

Question 3

Question 4

Question 5

Question 6

Comments
  1. James
    August 11th, 2019

    Q2 – Clearly the correct answer is “BPDU Guard” which will errdisable a portfast port if you connect a switch to it. IP Source guard only prevents spoofing.

  2. Abdullah
    September 6th, 2019

    Q2
    “prevent users from connecting unauthorized equipment to a production network”, bpdu guard will only work on bpdu packets. It should be ip source guard will be more trusted method because it will ensure that no fraud device will be connected.

  3. Abdullah
    September 6th, 2019

    Q4 Q6 conflict ” It should be enabled in globally to all interfaces.”?

  4. Dmytro
    September 12th, 2019

    Q4 is wrong. Right answers are A and B (maybe some other variant), but not C.
    IP Source Guard doesn’t activate globally, only on interface config mode. On mode (config)# you can only create static IP source binding. From book “300-115 Official Cert Guide”:

    “For the hosts that do not use DHCP, you can configure a static IP source binding with the
    following configuration command:
    Switch(config)# ip source binding mac-address vlan vlan-id ip-address interface
    type member/module/number”

  5. @Dmytro
    September 29th, 2019

    Options A and B are contradicting each other

  6. Anonymous
    October 15th, 2019

    Hello all, has anyone taken the exam today? If so what was in the exam?

  7. supportdonkey
    October 16th, 2019

    Go to “Share your SWITCH v2.0 Experience”

  8. Burìk
    November 1st, 2019

    Q2
    A is wrong, answer is E.

    BPDUguard makes so that when an interface receives a BPDU that interface goes into err-disable mode, so that you can’t just go to a wall plug and plug a rogue switch in or any other device that will allow you to execute a man-in-the-middle attack. The following command globally activates BPDU Guard on all interfaces with Portfast enabled, so the “campus-wide” requirement is also fullfilled:
    (config)#spanning-tree portfast bpduguard

  9. Saji
    November 30th, 2019

    @Burik,

    Equipment means it doesn’t necessarily means Switch.
    BPDU Guard only puts the port into err-disable if only it receives a BPDU not any bogus DHCP attack where it can come from any Rasbery Pi or small pc.
    so answer A is correct

  10. Rahul
    December 20th, 2019

    on question 4 you cannot enable globally if svi or layer 3 interfaces are present. It can only be configured on a port with switchport enabled and is applied at the interface level.

  11. John2020
    January 22nd, 2020
  12. FB
    January 28th, 2020
  13. suntzu
    February 15th, 2020

    @Burìk
    November 1st, 2019
    Q2
    A is wrong, answer is E.

    BPDUguard makes so that when an interface receives a BPDU that interface goes into err-disable mode, so that you can’t just go to a wall plug and plug a rogue switch in or any other device that will allow you to execute a man-in-the-middle attack. The following command globally activates BPDU Guard on all interfaces with Portfast enabled, so the “campus-wide” requirement is also fullfilled:
    (config)#spanning-tree portfast bpduguard

    That’s only for switches, not laptops or whatever else.

  1. No trackbacks yet.