Which three statements accurately describe IP source guard?

IP source guard is a security feature designed to prevent IP address spoofing by ensuring that only valid IP and MAC address pairs are allowed to send traffic from a specific port. The first statement accurately describes the function of IP source guard, as it relies on the DHCP snooping database. This database contains bindings of MAC addresses to IP addresses that were dynamically assigned to devices, allowing IP source guard to verify that packets received on an interface match the expected IP and MAC addresses.

When a packet arrives, IP source guard checks its source IP address and corresponding MAC address against the entries in the DHCP snooping database. If they match, the packet is considered valid and is forwarded; if not, it is dropped. This mechanism is vital for protecting the network from unauthorized access and mitigating certain types of attacks, such as man-in-the-middle attacks.

The remaining statements do not accurately reflect the capabilities of IP source guard. For instance, valid pairs are not always accepted if they are not in the DHCP snooping database. Additionally, IP source guard can be configured on access interfaces—it's not limited to trunk interfaces—making it a versatile security feature across different interface types.