Yes Tyson, it checks for valid IP to MAC bindings comparing with the dhcp snooping binding table.
With regards Kings On Thu, Mar 3, 2011 at 9:46 PM, Tyson Scott <[email protected]> wrote: > What does ARP inspection check for valid IP to MAC bindings? What options > are available? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Thursday, March 03, 2011 11:14 AM > *To:* Tyson Scott > *Cc:* Serious CCIE; [email protected] > *Subject:* Re: [OSL | CCIE_Security] IPSG -arp poisoning (back on Again) > > > > Hi Tyson > > DHCP snooping uses the binding table and checks, if the source mac address > and client hardware address matches else the DHCP packet is dropped. > > DAI checks for the valid IP-to-MAC in ARP packet. > > Would they do the same? > > > With regards > Kings > > On Thu, Mar 3, 2011 at 8:46 PM, Tyson Scott <[email protected]> wrote: > > I will turn the question back, what happens when you test it? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Serious CCIE > *Sent:* Thursday, March 03, 2011 8:43 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] IPSG -arp poisoning (back on Again) > > > > Hi, > > Will these do the same job? option#2 will save some time in typing as it > applies to the whole vlan/port while option#2 is for an specific port. > > what are your thoughts? > > Option#1 > ! > ip dhcp snooping binding aaa.aaa.aaa vlan 10 11.11.11.11 interface 48 > ip arp inspection vlan 10 > ! > > -----------Vs--------------- > > option#2 > ! > arp access-list ARP_ACL > permit ip host 11.11.11.11 mac host aaa.aaa.aaa > ! > ip arp inspection filter ARP_ACL vlan 10 > ip arp inspection vlan 10 > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
