hi,everyone,I'm studing the static "ip source guard" & "arp inspection".I want to know which layer should be used into with "ip source guard" & "arp inspection"?access layer or distribution layer?
I found "ip source guard" is actually a ACL used upon a port,it binds "IP MAC VLANID PORTID..." together,so i think it will be used as close as the PC or Server,access layer is the best.Can this technic used in distribution layer?If it is used in distribution layer,more binding entry should be done,so what should I do?
the same situation about the "arp inspection",is every switches in the Lan uses this technic? If it is true,it's a lot of work to do for the Engineer!
Our Lan uses static IP address,so the DHCP is not used,I must use the "static" function to do.
>> but if a user assigns a static IP address manually,what should I do?
if you don't want to let the user do this, simply don't trust the user port and it will be denied access to the network.
(may be combined with IP source guard and DAI)
When the user calls complaining of network not working you will check if his/her PC is using DHCP or not.
It depends on your company policy you can enforce this.
if you want to add a static entry for a server that is not using DHCP you can do the following:
or you trust the port where the server is connected
or you add a manual entry like
for DHCP snooping to build a static entry in the DHCP snooping table you need actually the following:
ip dhcp snooping binding mac-address vlan vlan-id
ip-address interface interface-id expiry seconds
Hope to help