June 5, 2008 2 Comments

DHCP Snooping/DAI

To configure DHCP Snooping:

Static IP:

ip dhcp snooping

ip dhcp snooping vlan xxx

ip source binding MAC vlan xxx IP interface zzz
interface zzz

ip verify source

MAC + IP:

ip dhcp snooping

ip dhcp snooping vlan xxx

ip source binding MAC vlan xxx IP interface zzz

interface zzz

switchport port-security (etc)

ip verify source port-security

Whats the difference? Well… In the first example, the switch will not filter based on MAC address. If the wrong IP comes in on interface zzz (as specified by ip source binding) then the switch will drop the traffic. In the second example, configuring port security will drop traffic if the MAC address learned via port-security is incorrect. The second example will ALSO filter rogue IPs. The two are not mutually exclusive.

DAI:

ip arp inspection vlan xx

ip arp inspection filter ACL vlan xxx static

arp access-list ACL

permit ip host IP mac host MAC

Cheers :)

I still have pages of notes from the bootcamp to type out!  Been busy!

Recent Posts

Blogroll