From: Swan, Jay (jswan@sugf.com)
Date: Mon Dec 17 2007 - 18:33:33 ART
They aren't quite the same.
IPSG: Makes sure you are sending IP packets from the MAC address that
the DHCP server (or IPSG binding DB) gave you.
DAI: Makes sure you don't send gratuitous ARP replies (which aren't IP
packets, remember) for an IP address that's not yours.
Other methods of preventing spoofing include ACLs and applying uRPF on
your edge L3 interfaces. The problem with these approaches is that they
don't prevent gratuitous ARP attacks and they don't prevent a device
from spoofing a different IP on its own subnet.
Jay
#17783
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
wim.depauw@getronics.com
Sent: Monday, December 17, 2007 12:55 PM
To: ccielab@groupstudy.com
Subject: Dynamic ARP inspection versus IP source guard
Hi,
I'm doing some tests with the above features but I'm a little bit
confused .
Too my understanding :
IP source guard will make sure that your relationship mac-address - IP
address is correct . This is checked either in dhcp database or via ip
source binding command . Also it is configured under an interface with
the command ip verify source
Dynamic arp inspection will make sure that you don't have a man in the
middel attack so it will also check the IP address- mac address
relationship
This is configured globally per vlan and possible also with static ARP
ACL for
non-dhcp environments.
So in the end they do the same thing but on a different way . Am I
correct or am I missing something ?
WHat about the lab ? Go see the proctor ?
Personally I would choose the dynamic arp inspection because you can
configure it globally ....
gr
wim
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:31 ARST