Refer to the exhibit. A switch has IP Source Guard (IPSG) and port-security enabled on interface GigabitEthernet0/1. A host with IP 10.1.1.1 and MAC 00:1A:2B:3C:4D:5E is connected and tries to access a web server at 192.168.1.100. What will happen?
Correct: IP source guard checks that the source IP is in the binding table; if valid, traffic passes ACL.
Why this answer
Option D is correct because IP Source Guard (IPSG) on a switch port typically uses DHCP snooping bindings to validate traffic. However, when port-security is also enabled and the host's IP (10.1.1.1) falls within the configured subnet (e.g., 10.0.0.0/8), and the MAC address (00:1A:2B:3C:4D:5E) matches a port-security secure MAC address, the switch can permit the traffic. IPSG does not inherently block all non-DHCP traffic; it can be configured with static bindings or rely on DHCP snooping, but in this scenario, the combination of a valid subnet and port-security allows the traffic.
Exam trap
Cisco often tests the misconception that IPSG always requires DHCP snooping and blocks all non-DHCP traffic, but in reality, IPSG can be configured with port-security to allow traffic from statically assigned hosts within a valid subnet.
How to eliminate wrong answers
Option A is wrong because IPSG does not drop all non-DHCP traffic; it filters based on IP-to-MAC bindings from DHCP snooping or static entries, not the source of the IP assignment. Option B is wrong because IPSG does not restrict traffic based on the destination IP address; it only validates the source IP and MAC of the host. Option C is wrong because IPSG does not require a static binding for the host; it can use dynamic DHCP snooping bindings, and in this case, port-security provides an alternative validation mechanism.