04-06-2010 12:24 PM - edited 03-06-2019 10:29 AM
Hi All,
I was looking at Dynamic Arp Inspection and IP source guard.
Is there an advantage to one vs the other? They have different functions, but they seem to accomplish the same end result...
Would one typically implement these together?
I've read a bit on both of them, but just curious what best practice would be, if there is one.
Thanks in advance.
04-06-2010 10:11 PM
Hi All,
I was looking at Dynamic Arp Inspection and IP source guard.
Is there an advantage to one vs the other? They have different functions, but they seem to accomplish the same end result...
Would one typically implement these together?
I've read a bit on both of them, but just curious what best practice would be, if there is one.
Thanks in advance.
Hi,
Dynamic ARP inspection is a security feature that validates ARP packets in a network. Dynamic ARP inspection determines the validity of packets by performing an IP-to-MAC address binding inspection stored in a trusted database, (the DHCP snooping binding database) before forwarding the packet to the appropriate destination
Where as the ip source guard feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PVACL) is installed on the port,this process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out.
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
04-07-2010 04:46 AM
Thanks for the additional info Ganesh...
I already knew that IP source guard was enabled on an untrusted port, and so is DIA, and they both rely on the DHCP Snooping information, is source guard considered more secure? Would I want to use both of them? How does source guard work when a port has a voice vlan? a seperate VACL? Thanks.
04-08-2010 02:00 AM
Thanks for the additional info Ganesh...
I already knew that IP source guard was enabled on an untrusted port, and so is DIA, and they both rely on the DHCP Snooping information, is source guard considered more secure? Would I want to use both of them? How does source guard work when a port has a voice vlan? a seperate VACL? Thanks.
Hi,
Following are the IP source gaurd pre-requisites and guidelines in switches-
• IP Source Guard limits IP traffic on an interface to only those sources that have an IP-MAC address binding table entry or static IP source entry. When you first enable IP Source Guard on an interface, you may experience disruption in IP traffic until the hosts on the interface receive a new IP address
from a DHCP server.
• IP Source Guard is dependent upon DHCP snooping to build and maintain the IP-MAC address binding table or upon manual maintenance of static IP source entries.
Check out the below link for your query like ip source gaurd with VACL,voice vlan.
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide