Solved: DAI and static addresses

John Blakley · ‎04-22-2009

All,

Say I have a core switch at 192.168.100.5, and I have a user add another switch on the network at their desk that's also addressed at 192.168.100.5. Is the best way to handle the situation by using dynamic arp inspection to shut down the port, or is dhcp snooping the best way?

We want to avoid having someone bring our core down. :)

Thanks,

John

HTH, John *** Please rate all useful posts ***

Edison Ortiz · ‎04-22-2009

You implement DAI along with ip arp inspection filter http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_arp.html#wp1012267 for static IP assignment

and DAI with DHCP snooping for dynamic IP assignment.

More reading material

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dynarp.html#wpmkr1047165

__

Edison.

View solution in original post

Edison Ortiz · ‎04-22-2009

You implement DAI along with ip arp inspection filter http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_arp.html#wp1012267 for static IP assignment

and DAI with DHCP snooping for dynamic IP assignment.

More reading material

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dynarp.html#wpmkr1047165

__

Edison.

dclark · ‎04-22-2009

Hi John

Both dynamic arp inspection and ip source guard utilize dhcp snooping, In short,use dynamic arp inspection to prevent users from changing their mac-addreses and use ip source guard to prevent illegal IP addresses from being used.

Basically arp inspection protects at layer 2 and ip source guard at layer 3.

Check the following link;

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_se/configuration/guide/swdhcp82.html