03-28-2008 08:31 AM - edited 03-05-2019 10:02 PM
We are using non-DHCP in our network environment. I want to avoid ARP spoofing on the switches. But I found at least three approaches related it,
1. DAI+ARP ACL: ip arp inspection filter ACL vlan IDs
2. IP-MAC binding: arp IP address H.H.H arpa
3. IP-MAC-Port binding: such as
ip source binding H.H.H vlan 100 ip address interface Gi1/x
Is there any difference on these? Thank you.
03-28-2008 10:08 AM
Hello David,
You can also take a look at configuring port security if you want to restrict host connected to switch based on mac addresses
HTH
Padmanabhan
03-28-2008 10:13 AM
Hi David,
1 and 2. are together:
You configure an ARP ACL (static IP-MAC bindings)(2.)
Then you apply it to the arp inspection process (1.)
3. "ip source binding" is used in IP Source Guard to define IP-MAC bindings.
Cheers:
Istvan
03-28-2008 11:34 AM
Hi Istvan,
Thanks for your reply.
option 1: I got the reference configration as below,
Switch(config)# arp access-list host2
Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host H.H.H
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter host2 vlan 1
For option 2 which I am using now, I just configured as below independently,
arp 1.1.1.1 H.H.H ARPA
So I thought 1 and 2 is separated.
Also, dose IP source guide help for avoiding ARP spoofing coz it binded MAC address as well.
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: