cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
551
Views
0
Helpful
1
Replies
Highlighted
Beginner

ARP spoofing : DAI vs IPSG

Hi ,

I would like to secure my network against  layer 2 attacks and is principally made of ARP spoofing

I know there are methods such as: DAI and IP Source Guard, but due to my knowledge these two features  as pre requisite "DHCP snooping"

is there another  features or solution against "ARP spoofing" without enabling DHCP snooping in my Switch ???

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Cisco Employee

Hello Mohamed,

is there another  features or solution against "ARP spoofing" without enabling DHCP snooping in my Switch ???

There are none. Both DAI and IPSG must verify the correspondence of MAC and IP address as seen in ARP messages or in Ethernet-encapsulated IP packets. This correspondence is best obtained by snooping on the DHCP communication. There are ways to configure these mappings manually without using DHCP Snooping but maintaining a large number of stations in this manual way will get very tedious, impractical and prone to error.

Best regards,

Peter

View solution in original post

1 REPLY 1
Highlighted
Hall of Fame Cisco Employee

Hello Mohamed,

is there another  features or solution against "ARP spoofing" without enabling DHCP snooping in my Switch ???

There are none. Both DAI and IPSG must verify the correspondence of MAC and IP address as seen in ARP messages or in Ethernet-encapsulated IP packets. This correspondence is best obtained by snooping on the DHCP communication. There are ways to configure these mappings manually without using DHCP Snooping but maintaining a large number of stations in this manual way will get very tedious, impractical and prone to error.

Best regards,

Peter

View solution in original post

Content for Community-Ad