10-14-2013 07:00 AM - edited 03-07-2019 04:01 PM
i need to use an alternative solution on swicth to protect untrusted ports to ristric the ip trafic without using DHCP Snooping? what are the alternative we have?
10-14-2013 07:30 AM
hi,
could you please elaborate youe issue .
10-14-2013 07:37 AM
Hi,
You can do DAI and IP Sourceguard without DHCP snooping:
http://packetlife.net/blog/2009/may/25/ip-source-guard-without-dhcp/
Regards
Alain
Don't forget to rate helpful posts.
10-14-2013 08:04 AM
Thanks for your quick answers guys.
Basically sceanrio is there are two routers who are connected with switch on access ports and from that an upstream switch running dhcp.
R1 ---------------------------------- R2
sw1 - Vlan2
------------ sw2 ------------- DHCP running
question asked to secure DHCP enviornment to immplement a solution on sw 1 that restricts ip traffic on untrust port g1/0/1 and g1/0/2 to the addresses of r1 and r2 respectively, Do not use DHCP snooping.
and I have already read the above articale you mentioned and wrote these two sol's but dont know its good or not so need more explanation on it or if someone tell me my sol is according to question requirement or not?
ip source binding 111.111.111 vlan 2 7.7.2.1 interface fa0/1
ip source binding 222.222.222 vlan 2 7.7.2.2 interface fa0/2
int range fa0/1 - 2
switchport mode access
switchport access vlan 2
ip verify source
-----------------------
wol2
arp access-list arpacl
permit ip host 7.7.2.1 mac host 111.111.111
permit ip host 7.7.2.2 mac host 222.222.222
exit
ip arp inspection filter arpacl vlan 2
int rang g1/0/1 - 2
no ip arp inspection trust
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide