You are configuring IP source guard on a Cisco IOS switch to stop IP spoofing attacks. After you have enabled IP source guard on an interface, the switch blocks all IP traffic received on the interface except specific packets. Which packets are allowed in this situation?routing protocol packetsARP packets allowed by ARP snoopingDHCP packets allowed by DHCP snoopingDNS packets allowed by DNS snooping
Question
You are configuring IP source guard on a Cisco IOS switch to stop IP spoofing attacks. After you have enabled IP source guard on an interface, the switch blocks all IP traffic received on the interface except specific packets. Which packets are allowed in this situation?routing protocol packetsARP packets allowed by ARP snoopingDHCP packets allowed by DHCP snoopingDNS packets allowed by DNS snooping
Solution 1
The packets that are allowed in this situation are DHCP packets allowed by DHCP snooping. IP Source Guard works in conjunction with DHCP Snooping. When a client receives a valid IP address from the DHCP server, a binding table is created that maps the client's IP address to its MAC address and associated VLAN. IP Source Guard then uses this information to filter traffic on untrusted Layer 2 access ports, permitting only packets that match an IP-MAC binding in the DHCP snooping database.
Solution 2
The packets that are allowed in this situation are DHCP packets allowed by DHCP snooping. IP Source Guard works in conjunction with DHCP Snooping. When a client receives a valid IP address from the DHCP server, a binding table is created that maps the client's IP address to its MAC address and associated VLAN. IP Source Guard then uses this information to filter traffic on untrusted Layer 2 access ports, permitting only packets that match an IP-MAC binding in the DHCP snooping database.
Similar Questions
As a security professional, you implement safeguards against attackers changing the source IP of a data packet in order to communicate over your company’s network. What type of network attack are you trying to avoid?1 pointIP spoofingPassive packet sniffingActive packet sniffingPing of Death
Which option describes part of the required or mandatory DHCP snooping configuration task on a Cisco switch?enable dynamic ARP inspectionenable port securityenable DHCP snooping globally on the switch and in all VLANs that require DHCP spoofing protectionconfigure all access ports as untrusted, since, by default, all ports are considered trusted
IP Source Guard (IPSG) protect against
You've captured network traffic using Wireshark and noticed many ARP requests. Which filter will display only ARP packets?
You are planning to implement uRPF as the first line of defense on a Cisco IOS router that connects your company to the internet. Which type of uRPF validates the existence of the source network of the packet in the routing table while providing a method to drop packets from unknown and therefore invalid networks?strict uRPFloose uRPFinvalid uRPFnetwork uRPF
Upgrade your grade with Knowee
Get personalized homework help. Review tough concepts in more detail, or go deeper into your topic by exploring other relevant questions.