From: Christian Zeng (christian@zengl.net)
Date: Tue Dec 18 2007 - 04:55:12 ART
Hi,
* Swan, Jay wrote:
> IPSG: Makes sure you are sending IP packets from the IP address that the
> DHCP server (or IPSG binding DB) gave you. In other words, it does a
> sanity check between the source MAC, source IP, and the DHCP binding DB.
Think of it like a uRPF check for a specific host on that interface via
an ingress L3 port ACL. This is what the switch does at the end, it
dynamically creates an ACL with IP source information learned either via
DHCP or the manual binding database, and applies it ingress to the port.
Surprisingly, even if you do manual bindings only, you must enable dhcp
snooping first.
In addition, you can extend validity checks to L2 by specifying the
port-security option, allowing the switch to restrict traffic from a
specific MAC address on that port (applies to non-IP traffic then also).
DAI takes only care about ARP, it will not filter other regular traffic
received on a port.
I took me some time to figure out all the major and minor varieties and
dependencies between port security, DAI, IPSG, mac address-table static
drop, port ACLs and even vlan filters. If you run into a filter question
on the lab, you really want to read it more than 3 times to figure out
exactly what they are after :)
Hope this helps,
Christian
#19533 (Security)
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:31 ARST