Solved: Re: which layer should be use with "ip source guard" & "arp insp

houbochen · ‎04-12-2010

hi,everyone,I'm studing the static "ip source guard" & "arp inspection".I want to know which layer should be used into with "ip source guard" & "arp inspection"?access layer or distribution layer?

I found "ip source guard" is actually a ACL used upon a port,it binds "IP MAC VLANID PORTID..." together,so i think it will be used as close as the PC or Server,access layer is the best.Can this technic used in distribution layer?If it is used in distribution layer,more binding entry should be done,so what should I do?

the same situation about the "arp inspection",is every switches in the Lan uses this technic? If it is true,it's a lot of work to do for the Engineer!

Our Lan uses static IP address,so the DHCP is not used,I must use the "static" function to do.

Giuseppe Larosa · ‎04-13-2010

Hello Hou,

>> but if a user assigns a static IP address manually,what should I do?

if you don't want to let the user do this, simply don't trust the user port and it will be denied access to the network.

(may be combined with IP source guard and DAI)

When the user calls complaining of network not working you will check if his/her PC is using DHCP or not.

It depends on your company policy you can enforce this.

if you want to add a static entry for a server that is not using DHCP you can do the following:

or you trust the port where the server is connected

or you add a manual entry like

for DHCP snooping to build a static entry in the DHCP snooping table you need actually the following:

ip dhcp snooping binding mac-address vlan vlan-id
ip-address interface interface-id expiry seconds

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swdhcp82.html#wp1180910

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎04-12-2010

Hello Hou,

access layer only if there are no end users on distribution layer as it should be in a true hierarchical network

Other colleagues have reported high cpu usage by enabling DHCP snooping on core switches so the question is wise.

Hope to help

Giuseppe

houbochen · ‎04-12-2010

Hi,guuslar

thanks for the answer.

you said that no end user should be in distrubition layer,so,it is to say : the "ip source guard" & "ip source guard" should be used in access layer?

I will do a experiment with DHCP snooping,and I had another question. I want to use DHCP service in my LAN,but if a user assigns a static IP address manually,what should I do?

Thanks.

Giuseppe Larosa · ‎04-13-2010

Hello Hou,

>> but if a user assigns a static IP address manually,what should I do?

if you don't want to let the user do this, simply don't trust the user port and it will be denied access to the network.

(may be combined with IP source guard and DAI)

When the user calls complaining of network not working you will check if his/her PC is using DHCP or not.

It depends on your company policy you can enforce this.

if you want to add a static entry for a server that is not using DHCP you can do the following:

or you trust the port where the server is connected

or you add a manual entry like

for DHCP snooping to build a static entry in the DHCP snooping table you need actually the following:

ip dhcp snooping binding mac-address vlan vlan-id
ip-address interface interface-id expiry seconds

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swdhcp82.html#wp1180910

Hope to help

Giuseppe

which layer should be use with "ip source guard" & "arp inspection"?