Hi, although this is a rather old post, I believe discussion still deserves clarification... After reading sarahr202 question and her example, trying to figure out why the switch should disable dynamic MAC learning, I noticed the following: From question: "Also, IP Source Guard with IP+MAC actually disables dynamic MAC learning on the port for DHCP and ARP packets ; otherwise, MAC spooﬁng could not be prevented" From example: "H1 create a packet let say ping packet with src mac: mac2 src ip: 18.104.22.168" I believe the problem is specifically for DHCP and ARP protocols... For example in DHCP requests or Gratuitous ARPs (which I could use to starve a DHCP server or man-in-the-middle attack respectively), the packets do not have source IPs... Actually, those protocols are not IP-based packets... So switch cannot tell if the frame is to be trusted or not with "IP Source Guard" feature. I believe the only way would be combining with "Port-Security" feature, which can check which MAC address is trying to send frames... Different case would be with ICMP, where we always have layer 2 and layer 3 sources and destinations, and it is IP-based... Does it make sense? Please share your comments.
... View more