04-22-2009 01:35 PM - edited 03-06-2019 05:19 AM
All,
Say I have a core switch at 192.168.100.5, and I have a user add another switch on the network at their desk that's also addressed at 192.168.100.5. Is the best way to handle the situation by using dynamic arp inspection to shut down the port, or is dhcp snooping the best way?
We want to avoid having someone bring our core down. :)
Thanks,
John
Solved! Go to Solution.
04-22-2009 03:35 PM
You implement DAI along with ip arp inspection filter http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_arp.html#wp1012267 for static IP assignment
and DAI with DHCP snooping for dynamic IP assignment.
More reading material
__
Edison.
04-22-2009 03:35 PM
You implement DAI along with ip arp inspection filter http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_arp.html#wp1012267 for static IP assignment
and DAI with DHCP snooping for dynamic IP assignment.
More reading material
__
Edison.
04-22-2009 03:58 PM
Hi John
Both dynamic arp inspection and ip source guard utilize dhcp snooping, In short,use dynamic arp inspection to prevent users from changing their mac-addreses and use ip source guard to prevent illegal IP addresses from being used.
Basically arp inspection protects at layer 2 and ip source guard at layer 3.
Check the following link;
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide