Refer to the exhibit.
Which two statements about this Layer 3 security configuration example are true? (Choose two.)
A.
Static IP source binding can be configured only on a routed port.
B.
Source IP and MAC filtering on VLANs 10 and 11 will occur.
C.
DHCP snooping will be enabled automatically on the access VLANs.
D.
IP Source Guard is enabled.
E.
The switch will drop the configured MAC and IP address source bindings and forward all
other traffic.
Explanation:
Cisco Catalyst switches can use the IP source guard feature to detect and suppress address
spoofing attacks—even if they occur within the same subnet. IP source guard does this by
making use of the DHCP snooping database, as well as static IP source binding entries. If
DHCP snooping is configured and enabled, the switch learns the MAC and IP addresses of
hosts that use DHCP. Packets arriving on a switch port can be tested for one of the following
conditions:
+ The source IP address must be identical to the IP address learned by DHCP snooping or a
static entry. A dynamic port ACL is used to filter traffic. The switch automatically creates this
ACL, adds the learned source IP address to the ACL, and applies the ACL to the interface
where the address is learned.
+ The source MAC address must be identical to the MAC address learned on the switch port
and by DHCP snooping. Port security is used to filter traffic.
For the hosts that don’t use DHCP, you can configure a static IP source binding with the
following configuration command:
Switch(config)#ip source binding mac-address vlan vlan-id ip-address interface type
mod/num
Here, the host’s MAC address is bound to a specific VLAN and IP address, and is expected
to be found on a specific switch interface. Next, enable IP source guard on one or more
switch interfaces with the following configuration commands:
Switch(config)#interface type mod/num
Switch(config-if)#ip verify source [port-security]
The ip verify source command will inspect the source IP address only. You can add the portsecurity keyword to inspect the source MAC address, too.
Reference:CCNP BCMSN Official Exam Certification Guide, Fourth Edition, Chapter 15: Securing
Switch Access, IP Source Guard, p 397