04-12-2010 09:16 AM - edited 03-06-2019 10:34 AM
hi,everyone,I'm studing the static "ip source guard" & "arp inspection".I want to know which layer should be used into with "ip source guard" & "arp inspection"?access layer or distribution layer?
I found "ip source guard" is actually a ACL used upon a port,it binds "IP MAC VLANID PORTID..." together,so i think it will be used as close as the PC or Server,access layer is the best.Can this technic used in distribution layer?If it is used in distribution layer,more binding entry should be done,so what should I do?
the same situation about the "arp inspection",is every switches in the Lan uses this technic? If it is true,it's a lot of work to do for the Engineer!
Our Lan uses static IP address,so the DHCP is not used,I must use the "static" function to do.
Solved! Go to Solution.
04-13-2010 04:54 AM
Hello Hou,
>> but if a user assigns a static IP address manually,what should I do?
if you don't want to let the user do this, simply don't trust the user port and it will be denied access to the network.
(may be combined with IP source guard and DAI)
When the user calls complaining of network not working you will check if his/her PC is using DHCP or not.
It depends on your company policy you can enforce this.
if you want to add a static entry for a server that is not using DHCP you can do the following:
or you trust the port where the server is connected
or you add a manual entry like
for DHCP snooping to build a static entry in the DHCP snooping table you need actually the following:
ip dhcp snooping binding mac-address vlan vlan-id
ip-address interface interface-id expiry seconds
see
Hope to help
Giuseppe
04-12-2010 09:41 AM
Hello Hou,
access layer only if there are no end users on distribution layer as it should be in a true hierarchical network
Other colleagues have reported high cpu usage by enabling DHCP snooping on core switches so the question is wise.
Hope to help
Giuseppe
04-12-2010 10:29 PM
Hi,guuslar
thanks for the answer.
you said that no end user should be in distrubition layer,so,it is to say : the "ip source guard" & "ip source guard" should be used in access layer?
I will do a experiment with DHCP snooping,and I had another question. I want to use DHCP service in my LAN,but if a user assigns a static IP address manually,what should I do?
Thanks.
04-13-2010 04:54 AM
Hello Hou,
>> but if a user assigns a static IP address manually,what should I do?
if you don't want to let the user do this, simply don't trust the user port and it will be denied access to the network.
(may be combined with IP source guard and DAI)
When the user calls complaining of network not working you will check if his/her PC is using DHCP or not.
It depends on your company policy you can enforce this.
if you want to add a static entry for a server that is not using DHCP you can do the following:
or you trust the port where the server is connected
or you add a manual entry like
for DHCP snooping to build a static entry in the DHCP snooping table you need actually the following:
ip dhcp snooping binding mac-address vlan vlan-id
ip-address interface interface-id expiry seconds
see
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide