Hi all I just came across this question.
How do we prevent arp spoofing on switches without using DAI. My solution is as following: Solution 1 ======== Configure "ip source" guard with port security. With this only arp packets with valid source IP and MAC address will be forward across the switch and hence, no one can spoof the IP address with another MAC address. Solution 2 ======== Here I am dropping all the ARP traffic across vlan 3 where I am suspecting spoofing attack. mac access-list extended arp permit any any 0x806 0x0 vlan access-map arp 10 action drop match mac address arp vlan access-map arp 10 action forward vlan filter arp vlan-list 3 Since the ARP is being dropped. The MAC addresses of the remote hosts should be statically configured each hosts. On the router, we can add the arp statically with the following command router(config)#arp 10.20.30.42 3.3.3 arpa Also the switch needs to know, where to forward the mac address. sw(config)#mac-address-table static 3.3.3 vlan 3 interface f1/0/2 If you have any other solutions, please do share it. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
