What does ARP inspection check for valid IP to MAC bindings? What options are available?
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Thursday, March 03, 2011 11:14 AM To: Tyson Scott Cc: Serious CCIE; [email protected] Subject: Re: [OSL | CCIE_Security] IPSG -arp poisoning (back on Again) Hi Tyson DHCP snooping uses the binding table and checks, if the source mac address and client hardware address matches else the DHCP packet is dropped. DAI checks for the valid IP-to-MAC in ARP packet. Would they do the same? With regards Kings On Thu, Mar 3, 2011 at 8:46 PM, Tyson Scott <[email protected]> wrote: I will turn the question back, what happens when you test it? Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Serious CCIE Sent: Thursday, March 03, 2011 8:43 AM To: [email protected] Subject: [OSL | CCIE_Security] IPSG -arp poisoning (back on Again) Hi, Will these do the same job? option#2 will save some time in typing as it applies to the whole vlan/port while option#2 is for an specific port. what are your thoughts? Option#1 ! ip dhcp snooping binding aaa.aaa.aaa vlan 10 11.11.11.11 interface 48 ip arp inspection vlan 10 ! -----------Vs--------------- option#2 ! arp access-list ARP_ACL permit ip host 11.11.11.11 mac host aaa.aaa.aaa ! ip arp inspection filter ARP_ACL vlan 10 ip arp inspection vlan 10 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
