The switch drops all traffic from the host with source IP 192.168.1.20 because IP Source Guard leverages the DHCP snooping binding table to enforce strict IP-to-port and MAC-to-port mappings. When the host at GigabitEthernet0/2, with MAC 0050.7966.6801, attempts to spoof the unauthorized IP 192.168.1.20, the switch compares the source IP of each packet against the binding table entry for that port. Since 192.168.1.20 is not bound to that specific port and MAC, the switch immediately drops all traffic from that source IP, effectively preventing IP spoofing attacks. On the Cisco SCOR 350-701 exam, this scenario tests your understanding of how DHCP snooping and IP Source Guard work together as a layered defense against address spoofing in the access layer. A common trap is assuming the host can still send traffic with a different IP if it remains on the same port; remember that IP Source Guard enforces the exact binding, not just the port. A useful memory tip is “One port, one IP, one MAC—anything else gets the sack.”
350-701 Endpoint Protection and Detection Practice Question
This 350-701 practice question tests your understanding of endpoint protection and detection. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Refer to the exhibit.
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip verify source
ip dhcp snooping limit rate 10
ip dhcp snooping trust
!
interface GigabitEthernet0/2
switchport mode access
ip verify source
ip dhcp snooping limit rate 5
!
ip dhcp snooping vlan 10
!
ip source binding 0050.7966.6801 vlan 10 192.168.1.10 interface GigabitEthernet0/2
Refer to the exhibit. A network administrator configured IP Source Guard and DHCP Snooping on a switch. A host connected to GigabitEthernet0/2 with MAC address 0050.7966.6801 has been assigned IP 192.168.1.10 via DHCP. The host now tries to use IP 192.168.1.20. What will happen?
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The switch drops all traffic from the host with source IP 192.168.1.20.
IP Source Guard uses DHCP snooping binding table to enforce IP-to-port mapping. When the host at GigabitEthernet0/2 with MAC 0050.7966.6801 attempts to use IP 192.168.1.20 instead of its DHCP-assigned IP 192.168.1.10, the switch compares the source IP of the packet against the binding table. Since 192.168.1.20 is not bound to that port and MAC, the switch drops all traffic from that host with source IP 192.168.1.20, preventing IP spoofing.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
The switch drops all traffic from the host with source IP 192.168.1.20.
Why this is correct
IP Source Guard filters traffic based on the binding table; unmatched source IPs are dropped.
Related concept
Read the scenario before looking for a memorised answer.
✗
The switch sends an ARP probe to verify the IP is unused, then updates the binding.
Why it's wrong here
IP Source Guard does not perform ARP probes; it drops mismatched traffic.
✗
The switch updates the binding table to allow 192.168.1.20.
Why it's wrong here
The binding table is not dynamic; it requires DHCP or manual entry.
✗
The switch allows the traffic because the host is trusted on that port.
Why it's wrong here
The port is not trusted; trust is only on G0/1. The binding table restricts allowed IPs.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Cisco often tests the misconception that IP Source Guard allows traffic from a trusted host or that it dynamically updates bindings via ARP, when in fact it strictly enforces the DHCP snooping binding table and drops any non-matching traffic.
Detailed technical explanation
How to think about this question
IP Source Guard operates by installing a per-port ACL that permits only traffic matching the DHCP snooping binding (source IP and MAC). It leverages the DHCP snooping database, which is populated by monitoring DHCP messages (DISCOVER, OFFER, REQUEST, ACK). In a real-world scenario, if an attacker manually sets a static IP to hijack a legitimate host's address, IP Source Guard blocks the attack at Layer 2, even if the attacker uses the correct MAC address.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A practitioner preparing for the 350-701 exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Endpoint Protection and Detection — This question tests Endpoint Protection and Detection — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The switch drops all traffic from the host with source IP 192.168.1.20. — IP Source Guard uses DHCP snooping binding table to enforce IP-to-port mapping. When the host at GigabitEthernet0/2 with MAC 0050.7966.6801 attempts to use IP 192.168.1.20 instead of its DHCP-assigned IP 192.168.1.10, the switch compares the source IP of the packet against the binding table. Since 192.168.1.20 is not bound to that port and MAC, the switch drops all traffic from that host with source IP 192.168.1.20, preventing IP spoofing.
What should I do if I get this 350-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 350-701 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.