IP source guard vs Dynamic Arp inspection

Unanswered Question
Apr 6th, 2010

Hi All,

I was looking at Dynamic Arp Inspection and IP source guard.

Is there an advantage to one vs the other? They have different functions, but they seem to accomplish the same end result...

Would one typically implement these together?

I've read a bit on both of them, but just curious what best practice would be, if there is one.

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (4 ratings)
Loading.
Ganesh Hariharan Tue, 04/06/2010 - 22:11

Hi All,

I was looking at Dynamic Arp Inspection and IP source guard.

Is there an advantage to one vs the other? They have different functions, but they seem to accomplish the same end result...

Would one typically implement these together?

I've read a bit on both of them, but just curious what best practice would be, if there is one.

Thanks in advance.

Hi,

Dynamic ARP inspection is a security feature that validates ARP packets in a network. Dynamic ARP inspection determines the validity of packets by performing an IP-to-MAC address binding inspection stored in a trusted database, (the DHCP snooping binding database) before forwarding the packet to the appropriate destination

Where as the ip source guard  feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PVACL) is installed on the port,this process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

rtjensen4 Wed, 04/07/2010 - 04:46

Thanks for the additional info Ganesh...

I already knew that IP source guard was enabled on an untrusted port, and so is DIA, and they both rely on the DHCP Snooping information, is source guard considered more secure? Would I want to use both of them? How does source guard work when a port has a voice vlan? a seperate VACL? Thanks.

Ganesh Hariharan Thu, 04/08/2010 - 02:00

Thanks for the additional info Ganesh...

I already knew that IP source guard was enabled on an untrusted port, and so is DIA, and they both rely on the DHCP Snooping information, is source guard considered more secure? Would I want to use both of them? How does source guard work when a port has a voice vlan? a seperate VACL? Thanks.

Hi,

Following are the IP source gaurd pre-requisites and guidelines in switches-

• IP Source Guard limits IP traffic on an interface to only those sources that have an IP-MAC address binding table entry or static IP source entry. When you first enable IP Source Guard on an interface, you may experience disruption in IP traffic until the hosts on the interface receive a new IP address
from a DHCP server.

• IP Source Guard is dependent upon DHCP snooping to build and maintain the IP-MAC address binding table or upon manual maintenance of static IP source entries.

Check out the below link for your query like ip source gaurd with VACL,voice vlan.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/ipsrcgrd.html#wp1097284

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Actions

This Discussion