IP Source Guard Questions
Question 1
Explanation
IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.
Question 2
Question 3
Question 4
Question 5
Question 6
Q2 – Clearly the correct answer is “BPDU Guard” which will errdisable a portfast port if you connect a switch to it. IP Source guard only prevents spoofing.
Q2
“prevent users from connecting unauthorized equipment to a production network”, bpdu guard will only work on bpdu packets. It should be ip source guard will be more trusted method because it will ensure that no fraud device will be connected.
Q4 Q6 conflict ” It should be enabled in globally to all interfaces.”?
Q4 is wrong. Right answers are A and B (maybe some other variant), but not C.
IP Source Guard doesn’t activate globally, only on interface config mode. On mode (config)# you can only create static IP source binding. From book “300-115 Official Cert Guide”:
“For the hosts that do not use DHCP, you can configure a static IP source binding with the
following configuration command:
Switch(config)# ip source binding mac-address vlan vlan-id ip-address interface
type member/module/number”
Options A and B are contradicting each other
Hello all, has anyone taken the exam today? If so what was in the exam?
Go to “Share your SWITCH v2.0 Experience”
Q2
A is wrong, answer is E.
BPDUguard makes so that when an interface receives a BPDU that interface goes into err-disable mode, so that you can’t just go to a wall plug and plug a rogue switch in or any other device that will allow you to execute a man-in-the-middle attack. The following command globally activates BPDU Guard on all interfaces with Portfast enabled, so the “campus-wide” requirement is also fullfilled:
(config)#spanning-tree portfast bpduguard
@Burik,
Equipment means it doesn’t necessarily means Switch.
BPDU Guard only puts the port into err-disable if only it receives a BPDU not any bogus DHCP attack where it can come from any Rasbery Pi or small pc.
so answer A is correct