GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Dynamic ARP inspection versus IP source guard posted 12/17/2007
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Very nice answer Jay. Well done.

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Swan, Jay
Sent: Monday, December 17, 2007 4:34 PM
To: wim.depauw@xxxxxxxxxxxxx; ccielab@xxxxxxxxxxxxxx
Subject: RE: Dynamic ARP inspection versus IP source guard

They aren't quite the same.

IPSG: Makes sure you are sending IP packets from the MAC address that
the DHCP server (or IPSG binding DB) gave you.

DAI: Makes sure you don't send gratuitous ARP replies (which aren't IP
packets, remember) for an IP address that's not yours.

Other methods of preventing spoofing include ACLs and applying uRPF on
your edge L3 interfaces. The problem with these approaches is that they
don't prevent gratuitous ARP attacks and they don't prevent a device
from spoofing a different IP on its own subnet.

Jay
#17783

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
wim.depauw@xxxxxxxxxxxxx
Sent: Monday, December 17, 2007 12:55 PM
To: ccielab@xxxxxxxxxxxxxx
Subject: Dynamic ARP inspection versus IP source guard

Hi,

I'm doing some tests  with the above features but I'm a little bit
confused .
Too my understanding :

IP source guard will make sure that your relationship mac-address - IP
address is correct . This is checked either in dhcp database or via ip
source binding command . Also it is configured under an interface with
the command ip verify source

Dynamic arp inspection will make sure that you don't have a man in the
middel attack so it will also check the IP address- mac address
relationship 
This is configured globally per vlan and possible also with static ARP
ACL for 
non-dhcp environments.

So in the end they do the same thing but on a different way . Am I
correct or am I missing something  ?
WHat about the lab ? Go see the proctor ?

Personally I would choose the dynamic arp inspection because you can
configure it globally ....


gr
wim

_______________________________________________________________________
Subscription information may be found at: 
http://www.groupstudy.com/list/CCIELab.html

_______________________________________________________________________
Subscription information may be found at: 
http://www.groupstudy.com/list/CCIELab.html