So using vlan, port security and applying restrictive policies at the active directory level to prevent them from setting the ip in a static way (and therefore obliging with dhcp), setting the DAI and dhcp snooping regarding level 2 can be said that the security (maybe monitor the network with tools at time intervals) is high; I repeat I am talking about level 2 spoofing only which is perhaps more difficult to monitor than level 3 as you said today there are different systems to filter threats.

Yes, you should implement L2 security measures, where DAI is just one of them (spanning-tree measures, 802.1x, DHCP Snooping, DAI, disable DTP, etc) in order to increase your overal security. You can find good material here.

BR,

Milos

In conclusion I think we can say the following; based on your answers but also after turning the internet over to look for the answer first we can say: A) The switch was created to perform all the functions of level 2 learning, stp, link aggregation, port-security, bpdu guard, arp, broadcasting and other level 2 B) Doing a search on the internet we talk about Ip source guard in a superficial way whoever talks about it like this; this means only one thing; that it is obvious that DAI was created first with dhcp snooping; then they thought we try to make the switch also do a random check on packets in transit on the ports? And they invented this ip source guard tool where among other things they verified that putting them alone does not provide those mechanisms for which 100% intervention can be made; C) Continuing the DAI does a check of the frame and the body of the frame it does not go to check the ip packet and is therefore the useful tool to intercept and verify with the help of dhcp snooping the arp requests sent and received therefore it does not make a check on the package. Ip source guard instead (which is not talked about in depth everywhere even in books not only on the internet and I also think there is a lot of embarrassment in talking) is a tool created as to say go well .... we ask the switch to also perform something level 3 with this tool; but the design of the switch is not from an architectural point of view like that of a router precisely because it is not born to perform all those functions and therefore the control is done not on every single packet by the switch but randomly at a certain point of the functioning of the LAN network. D) This is my thought but I think it can be shared; security at level 2 is seen more by the set of security tools; that is, before reaching level 2 an attacker must (correct me if I'm wrong) enter a company identify himself with his identity card to the guards perhaps with fingerprint recognition systems to enter the server room; here is already from here if we let people in without having the monitoring of the situation we made mistakes. In addition to this an attacker should also overcome the port-secuirty, he should use tools to monitor also information sorted by the cdp (this is why the cdp must be configured only on ports between switches useful only for troubleshooting) so without continuing further he should overcome all these level 2 protection systems; While at the IP level the issue changes from the outside to the internet, the person must be identified through the IP protocol, there is no security guard who has to carry out checks from the gate to the doors of the offices; At that point more sophisticated systems are implemented for the identification implemented vpn, authentication server, dmz, firewall systems, ip filtering, nat / pat checks on e-mail packets, checks on data packets, ids / ips systems and I imagine much more still. Obviously if the hackers manage to pass all these checks there will be a reason there are more experts than us who are here to write and I who are here to learn: D. But my personal opinion should be better written the question of address spoofing on the books and in particular of the ip source guard and if I have disappeared a lot (forgive me: D) it is because it took me 3 days to understand all this mess here: D Hello and thank you for your intervention.