Folks,
Just to obtain some clarity on what fields Dynamic ARP Inspection (DAI) uses
to validity ARP packets...
Schematic: Ethernet header (L2-src L2-dst) ARP packet (SHA SPA THA TPA)
Question: in ARP replies is "(L2-dst, TPA)" in the DHCP snooping binding
table a requirement for validation?
1. Plain or Vanilla DAI
Valid if:
A. (L2-src, SPA) is in the DHCP snooping binding table.
E.g.; you could have SHA != L2-src or THA != L2-dst and packet will still
validate (see below)
2. ip arp inspection validate src-mac
Valid if:
A. (L2-src, SPA) is in the DHCP snooping binding table.
B. L2-src == SHA
3. ip arp inspection validate dst-mac
Valid if:
A. (L2-src, SPA) is in the DHCP snooping binding table.
B. L2-dst == THA
4. ip arp inspection validate ip
Requires
A. (L2-src, SPA) is in the DHCP snooping binding table.
B. SPA != 0.0.0.0 255.255.255.255 224.0.0.0/4
(in ARP replies) TPA != 0.0.0.0 255.255.255.255 224.0.0.4/4
Do you agree with this summary?
Cheers
Richard
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
