Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3190
Views
5
Helpful
2
Replies

Dynamic Arp Inspection (DAI) vs IP Source Guard (IPSG) with Port Security command

tschafferx
Level 1
Level 1

‎11-27-2018 09:15 AM - edited ‎03-08-2019 04:41 PM

Hi Cisco community,

 

I came across an article that describes IPSG. (https://packetpushers.net/ccnp-studies-configuring-ip-source-guard/).

I am aware of the difference between IPSG and Arp inspection in conjunction with DHCP snooping.

IPSG only checks whether the IP-Address to Port ID is correct / Whereas Dynamic ARP inspection checks for IP to MAC address conformity all based on the snooping table.

My question ist the following: If I configure IPSG regularly and add the following command e.g.:

 

SW1(config)#int fa0/24
SW1(config-if)#switchport port-security
SW1(config-if)#ip verify source port-security

 

Doesn't that mean that gratuitous ARP packets will be dropped due to the extra check of the MAC-Address field and therefore IPSG making DAI redundant?

 

Thank you in advance. 

1 person had this problem
Labels:
0 Helpful
2 Replies 2

tschafferx
Level 1
Level 1

‎11-27-2018 01:38 PM

After some research I could answer the question for myself. For anyone that is interested. Answer below:

 

IPSG with PortSecurity: First, IPSG looks at the IP-header if there's no such header, nothing will be prevented/dropped.

Second, PortSecurity looks at the layer 2 mac address if the client has obtained an IP address from a trusted DHCP server, then the snooping table references it with the corresponding mac address.

At this point without DAI it would still be possible to perform a ARP spoofing due to the fact, that IPSG with or without the PortSecurity option only looks at the ip header or ethernet (layer 2) mac address with port security enabled.

It does not inspect the malicious ARP package. For that mechanism we need to activate DAI which looks into the ARP package and validates the sender MAC and sender IP in the ARP package.

 

I hope this helps. Please feel free to add any relevant information!

reikidude
Level 1
Level 1
In response to tschafferx

‎12-29-2019 02:45 PM

Hi,

 

I can't understand it ver well.

 

It works like a protection redundancy.

I've attacched a picture  with a GNS3 topology, the attack (ip spoofing) from host ATTACKER3 will be  mitigated by DAI configuration on SW1 because its ip not exist on ip snooping database, all this without any IPSG configuration.

 

Do I miss something? 

 

Thanks

 

 

 

 

 

Preview file
28 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card