| Exam 400-101 | Question id=1054 | Infrastructure Security |
Which of the following must you do before IP source guard can be used on a switch port?
| A. |
Configure static IP bindings on the switch. | |
| B. |
Enable DHCP snooping on the switch. | |
| C. |
Enable uRPF on the switch port. | |
| D. |
Enable IP routing on the switch port. | |
| E. |
Enable CEF on the switch. |
You must configure static IP bindings or enable Dynamic Host Configuration Protocol (DHCP) snooping on the switch before IP source guard can be used on a switch port. To configure a static IP binding, you should issue the ip source binding mac address vlan vlanid ipaddress interface interfaceid command. To enable DHCP snooping, you should issue the ip dhcp snooping command.
IP source guard prevents all IP traffic except for the following packets:
- DHCP packets allowed by DHCP snooping
- Traffic that matches entries in the IP source binding table
The IP source binding table is populated by static bindings or by DHCP snooping. If you enable IP source guard on a switch port but do not configure static IP bindings or DHCP snooping, all IP traffic will be dropped by the switch.
IP source guard mitigates DHCP spoofing attacks. In a DHCP spoofing attack, an attacker installs a rogue DHCP server on the network in an attempt to intercept DHCP requests. The rogue DHCP server can then respond to the DHCP requests with its own IP address as the default gateway address? hence all traffic is routed through the rogue DHCP server. As a result, a host that has obtained an IP address from a rogue DHCP server could become the victim of a maninthemiddle attack in which a malicious individual eavesdrops on a network conversation between two hosts. Enabling DHCP snooping with IP source guard helps to mitigate DHCP spoofing attacks.
You do not need to enable unicast Reverse Path Forwarding (uRPF) on the switch port. Like IP source guard, uRPF can mitigate spoofing attacks. uRPF checks the source IP address ofa packet to determine whether the packet arrived on the best path back to the source based on routing table information. If the IP address information is spoofed, the uRPF check will fail and the packet will be dropped.
You do not need to enable Cisco Express Forwarding (CEF) on the switch. Unlike uRPF, IP source guard does not rely on CEF to function? CEF must be enabled for uRPF to function.
You should not enable IP routing on the switch port. In fact, enabling routing on a switch port by issuing the no switchport command prevents you from enabling IP source guard on the switch port.