[c-nsp] Equipment for a large-ish LAN event

Lukas Tribus luky-37 at hotmail.com
Wed Dec 9 17:48:59 EST 2015


>> arp-inspection
>
> DAI is a self-defeating misfeature which can result in a self-DoS of the
> switch. Don't enable it!

Interesting, can you elaborate?


I had my fair share of issues with DAI, but so I did with DHCP snooping,
PPPoE IA and every other security feature that uses a software process
(and therefor needs to be punted).

Lack of proper layer 2 behavior (respect: STP, allowed vlans, private vlans,
uni/uni relations, split-horizon) in the software forwarding process and
insufficient control-plane protection (punting to the CPU is rate-limited,
but when traffic is QinQ'ed, rate-limiter is bypassed and CPU can be
overwhelmed) are issues that keep popping up (not once, but once per
feature - so if you insist on the fix in PPPoE IA code, DAI and DHCP
snooping are still lacking the same fix).


Is that what you mean?




Regards,

Lukas

 		 	   		  


More information about the cisco-nsp mailing list