Solved: ARP spoofing : DAI vs IPSG

mohamed louhab · ‎10-09-2012

Hi ,

I would like to secure my network against layer 2 attacks and is principally made of ARP spoofing

I know there are methods such as: DAI and IP Source Guard, but due to my knowledge these two features as pre requisite "DHCP snooping"

is there another features or solution against "ARP spoofing" without enabling DHCP snooping in my Switch ???

Regards

Peter Paluch · ‎10-09-2012

Hello Mohamed,

is there another  features or solution against "ARP spoofing" without enabling DHCP snooping in my Switch ???

There are none. Both DAI and IPSG must verify the correspondence of MAC and IP address as seen in ARP messages or in Ethernet-encapsulated IP packets. This correspondence is best obtained by snooping on the DHCP communication. There are ways to configure these mappings manually without using DHCP Snooping but maintaining a large number of stations in this manual way will get very tedious, impractical and prone to error.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎10-09-2012

Hello Mohamed,

is there another  features or solution against "ARP spoofing" without enabling DHCP snooping in my Switch ???

There are none. Both DAI and IPSG must verify the correspondence of MAC and IP address as seen in ARP messages or in Ethernet-encapsulated IP packets. This correspondence is best obtained by snooping on the DHCP communication. There are ways to configure these mappings manually without using DHCP Snooping but maintaining a large number of stations in this manual way will get very tedious, impractical and prone to error.

Best regards,

Peter