There is a nice presentation on this put together by Yusuf. http://www.cisco.com/web/ME/exposaudi2009/assets/docs/layer2_attacks_and_mitigation_t.pdf%20
check "building the layers" section A. On 7 June 2012 08:20, Eugene Pefti <[email protected]> wrote: > I would say that IP source guard goes hand in hand with DHCP snooping.*** > * > > Cisco doc says (Catalyst 3650)**** > > “When IP source guard with source IP filtering is enabled on an interface, > DHCP snooping must be enabled on the access VLAN for that interface”**** > > And then they start configuring IPSG with DHCP snooping as part of it.**** > > ** ** > > I tested it and my findings are that even if you have “ip source binding > AAAA.BBBB.CCCC vlan XYZ XXX.XXX.XXX.XXX interface Fa0/XX” it is not active > without DHCP snooping:**** > > ** ** > > SW2#show ip ver source interface Fa0/6 **** > > Interface Filter-type Filter-mode IP-address Mac-address > Vlan**** > > --------- ----------- ----------- --------------- ----------------- > ----------**** > > Fa0/6 ip inactive-no-snooping-vlan**** > > ** ** > > I had a host obtain an IP address from the DHCP server different from the > IP address used in “ip source binding” and was able to communicate.**** > > Once I enabled DHCP snooping globally and for the specific VLAN the IPSG > feature became active and the host wasn’t able to communicate with others: > **** > > ** ** > > SW2#sh ip verif source inter fa0/6**** > > Interface Filter-type Filter-mode IP-address Mac-address > Vlan**** > > --------- ----------- ----------- --------------- ----------------- > ----------**** > > Fa0/6 ip active 174.1.255.2 > 102**** > > ** ** > > Eugene**** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, June 05, 2012 9:01 PM > *To:* Mike Rojas > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp > binding**** > > ** ** > > ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface gi0/3 can't be > used for DHCP snooping. Have you tested it? It can be only used for IPSG > validation not DHCP packet validation. > > With regards > Kings**** > > On Wed, Jun 6, 2012 at 7:35 AM, Mike Rojas <[email protected]> wrote:* > *** > > I made that mistake on the test, the question clearly said, make sure it > survives upon reload.... > > Mike **** > ------------------------------ > > Date: Tue, 5 Jun 2012 20:04:27 -0400 > From: [email protected] > To: [email protected] > Subject: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding**** > > ** ** > > For the dhcp snooping I learned the hard way the difference between the > two commands.**** > > The below command is done at exec level and binding will be removed afte a > reload**** > > 3560# ip dhcp snooping binding cccd.1233.3422 vlan 101 1.11.1.1 interface > gi0/3**** > > ** ** > > The following is permenant and will not be removed from the config or > binding database after reboot**** > > ** ** > > 3560(config)# ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface > gi0/3**** > > ** ** > > Are you able to pick the difference between the two commands.**** > > Hope this helps.**** > > > > -- > FNK**** > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/>**** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/>**** > > ** ** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
