07-02-2024 07:32 AM
When using DHCP Snooping along with static IP addresses I understand that you will need to add those IP addresses to the binding database for DAI and IP verify source to work. My question is if this is worth it? It seems like a huge pain to list all of these IP addresses and possibly MAC addresses manually. Just wanted to know what the community thinks about this hardening requirement. Thanks!
Solved! Go to Solution.
07-02-2024 07:53 AM - edited 07-02-2024 07:53 AM
Hello @Gregman3800
This approach significantly enhances network security, it involves a substantial administrative burden when static IP addresses are used, as each static IP and its corresponding MAC address must be manually added to the DHCP Snooping binding database. This task is labor-intensive and error-prone, especially in large networks, leading to potential scalability issues and the risk of misconfigurations that could disrupt network operations...
07-02-2024 07:53 AM - edited 07-02-2024 07:53 AM
Hello @Gregman3800
This approach significantly enhances network security, it involves a substantial administrative burden when static IP addresses are used, as each static IP and its corresponding MAC address must be manually added to the DHCP Snooping binding database. This task is labor-intensive and error-prone, especially in large networks, leading to potential scalability issues and the risk of misconfigurations that could disrupt network operations...
07-02-2024 08:30 AM
there is three network mode here
1-all endpoint run DHCP <<- here it easy to config DHCP snooping and DAI and IPSG
2-some endpoint run static other run DHCP <<- here we use static entry to binding
3-all endpoint run static <<- it so so difficult to use static entry to binding
MHM
07-02-2024 10:52 AM
I check for L2 security instead of static binding I will update you tomorrow
MHM
07-02-2024 11:04 AM
Thanks that would be good to know!
07-02-2024 11:27 AM - edited 07-02-2024 01:01 PM
this brief l2 attack and defensive
the most import is two ARP attack and DHCP server attack,
the ARP attack we can use VLAN ACL or private VLAN <<- correction you must also use port ACL for ARP attack
but for DHCP server attack the table dont show that but port ACL can prevent any l2 port to send DHCP offer unless it port connect to DHCP server.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide