Hi Tyson I mis-read Serious CCIE's query initially and thought he was comparing dhcp snooping and ARP inspection. After again reading it, I see that in one option dhcp snooping is used and in other ARP access list is used. Hence logically it should work but should be labbed out for confirmation.
With regards Kings On Thu, Mar 3, 2011 at 11:26 PM, Tyson Scott <[email protected]> wrote: > So the question still remains would the two options below have the same > results? I will leave it up to you guys to test it out. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Thursday, March 03, 2011 11:29 AM > > *To:* Tyson Scott > *Cc:* Serious CCIE; [email protected] > *Subject:* Re: [OSL | CCIE_Security] IPSG -arp poisoning (back on Again) > > > > Yes Tyson, it checks for valid IP to MAC bindings comparing with the dhcp > snooping binding table. > > With regards > Kings > > On Thu, Mar 3, 2011 at 9:46 PM, Tyson Scott <[email protected]> wrote: > > What does ARP inspection check for valid IP to MAC bindings? What options > are available? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Thursday, March 03, 2011 11:14 AM > *To:* Tyson Scott > *Cc:* Serious CCIE; [email protected] > *Subject:* Re: [OSL | CCIE_Security] IPSG -arp poisoning (back on Again) > > > > Hi Tyson > > DHCP snooping uses the binding table and checks, if the source mac address > and client hardware address matches else the DHCP packet is dropped. > > DAI checks for the valid IP-to-MAC in ARP packet. > > Would they do the same? > > > With regards > Kings > > On Thu, Mar 3, 2011 at 8:46 PM, Tyson Scott <[email protected]> wrote: > > I will turn the question back, what happens when you test it? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Serious CCIE > *Sent:* Thursday, March 03, 2011 8:43 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] IPSG -arp poisoning (back on Again) > > > > Hi, > > Will these do the same job? option#2 will save some time in typing as it > applies to the whole vlan/port while option#2 is for an specific port. > > what are your thoughts? > > Option#1 > ! > ip dhcp snooping binding aaa.aaa.aaa vlan 10 11.11.11.11 interface 48 > ip arp inspection vlan 10 > ! > > -----------Vs--------------- > > option#2 > ! > arp access-list ARP_ACL > permit ip host 11.11.11.11 mac host aaa.aaa.aaa > ! > ip arp inspection filter ARP_ACL vlan 10 > ip arp inspection vlan 10 > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
