03-28-2008 08:31 AM - edited 03-05-2019 10:02 PM
We are using non-DHCP in our network environment. I want to avoid ARP spoofing on the switches. But I found at least three approaches related it,
1. DAI+ARP ACL: ip arp inspection filter ACL vlan IDs
2. IP-MAC binding: arp IP address H.H.H arpa
3. IP-MAC-Port binding: such as
ip source binding H.H.H vlan 100 ip address interface Gi1/x
Is there any difference on these? Thank you.
03-28-2008 10:08 AM
Hello David,
You can also take a look at configuring port security if you want to restrict host connected to switch based on mac addresses
HTH
Padmanabhan
03-28-2008 10:13 AM
Hi David,
1 and 2. are together:
You configure an ARP ACL (static IP-MAC bindings)(2.)
Then you apply it to the arp inspection process (1.)
3. "ip source binding" is used in IP Source Guard to define IP-MAC bindings.
Cheers:
Istvan
03-28-2008 11:34 AM
Hi Istvan,
Thanks for your reply.
option 1: I got the reference configration as below,
Switch(config)# arp access-list host2
Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host H.H.H
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter host2 vlan 1
For option 2 which I am using now, I just configured as below independently,
arp 1.1.1.1 H.H.H ARPA
So I thought 1 and 2 is separated.
Also, dose IP source guide help for avoiding ARP spoofing coz it binded MAC address as well.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide