Which is the result of enabling IP Source Guard on an untrusted switch port that does not have DHCP snooping enabled?

Which is the result of enabling IP Source Guard on an untrusted switch port that does not have DHCP snooping enabled?

Which is the result of enabling IP Source Guard on an untrusted switch port that does not have DHCP snooping enabled?

A.
DHCP requests will be switched in the software, which may result in lengthy response times.

B.
The switch will run out of ACL hardware resources.

C.
All DHCP requests will pass through the switch untested.

D.
The DHCP server reply will be dropped and the client will not be able to obtain an IP address.

Explanation:
IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings. This feature helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host. Any IP traffic coming into the interface with a source IP address other than that assigned (via DHCP or static configuration) will be filtered out on the untrusted Layer 2 ports.
The IP Source Guard feature is enabled in combination with the DHCP snooping feature on untrusted Layer 2 interfaces. It builds and maintains an IP source binding table that is learned by DHCP snooping or manually configured (static IP source bindings). An entry in the IP source binding table contains the IP address and the associated MAC and VLAN numbers. The IP Source Guard is supported on Layer 2 ports only, including access and trunk ports.



Leave a Reply 2

Your email address will not be published. Required fields are marked *


greenhorn

greenhorn

This is an odd one.
Having Source Guard enabled without DHCP snooping will block legitimate traffic from the port.
Source Guard verifies if source IP is assigned to the source port in DHCP snooping table.
As DHCP snooping is switched off, there is no entry in the table for the port, so no source IP is passed through. But it will not block DHCP process in any way as far as the DHCP query is made by 0.0.0.0 source address.

IMHO answer D is wrong as Source Guard blocks traffic incoming on a port and server reply will be outgoing. I think, no matter how ridiculous it sounds, answer C is correct as the only one.

Why can't I get the most professional live music band to play a simcha

Why can't I get the most professional live music band to play a simcha

I like the valuable info you provide in your articles.
I will bookmark your weblog and check again here regularly.
I’m quite sure I will learn many new stuff right here!
Good luck for the next!