- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2024 07:32 AM
When using DHCP Snooping along with static IP addresses I understand that you will need to add those IP addresses to the binding database for DAI and IP verify source to work. My question is if this is worth it? It seems like a huge pain to list all of these IP addresses and possibly MAC addresses manually. Just wanted to know what the community thinks about this hardening requirement. Thanks!
Solved! Go to Solution.
- Labels:
-
LAN Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2024 07:53 AM - edited 07-02-2024 07:53 AM
Hello @Gregman3800
This approach significantly enhances network security, it involves a substantial administrative burden when static IP addresses are used, as each static IP and its corresponding MAC address must be manually added to the DHCP Snooping binding database. This task is labor-intensive and error-prone, especially in large networks, leading to potential scalability issues and the risk of misconfigurations that could disrupt network operations...
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2024 07:53 AM - edited 07-02-2024 07:53 AM
Hello @Gregman3800
This approach significantly enhances network security, it involves a substantial administrative burden when static IP addresses are used, as each static IP and its corresponding MAC address must be manually added to the DHCP Snooping binding database. This task is labor-intensive and error-prone, especially in large networks, leading to potential scalability issues and the risk of misconfigurations that could disrupt network operations...
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2024 08:30 AM
there is three network mode here
1-all endpoint run DHCP <<- here it easy to config DHCP snooping and DAI and IPSG
2-some endpoint run static other run DHCP <<- here we use static entry to binding
3-all endpoint run static <<- it so so difficult to use static entry to binding
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2024 10:52 AM
I check for L2 security instead of static binding I will update you tomorrow
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2024 11:04 AM
Thanks that would be good to know!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2024 11:27 AM - edited 07-02-2024 01:01 PM
this brief l2 attack and defensive
the most import is two ARP attack and DHCP server attack,
the ARP attack we can use VLAN ACL or private VLAN <<- correction you must also use port ACL for ARP attack
but for DHCP server attack the table dont show that but port ACL can prevent any l2 port to send DHCP offer unless it port connect to DHCP server.
MHM
