[c-nsp] IPSG vs DAI, is there an use case for IPSG?

Shanawaz Batcha ismath.shaan at gmail.com
Tue Mar 13 03:24:05 EDT 2012


Hey Guys,

I understand the differences between IP Source guard and Dynamic Arp
Inspection. One looks at IP packets and one looks at arp packets. But if we
had DHCP snooping configured and DAI configured, do we really need IPSG?

Lets say on a port configured with DHCP snooping and DAI only, somebody has
plugged a machine and configured himself with a static ip address and a
static arp entry for the default gateway. DHCP snooping wont catch him
because he doesnot send any DHCP packets. But Dynamic arp inspection will
catch him because he cannot do any ARP replies. And other machines will
require his arp reply to communicate to him. So static or spoofed IP
addresses will fail.

Then I am missing the point of why the IPSG is needed?

Regards,
Shaan


More information about the cisco-nsp mailing list