It sounds like you pretty well have it. Keep in mind they feed off the DHCP Snooping info only if you are using them dynamically with that database. It is conceivable that you could statically seed them with the information they need - that would be a very small, very secure environment I presume!
Yes - they are all about antispoofing. One focusing on Layer 2 addressing and the other focusing on Layer 3. As you know these features - along with DHCP Snooping - are specifically enumerated on the Expansion Blueprint from Cisco and should be studied in depth. I am sure the IPexpert R&S stuff does - as well as the CCNP Security stuff. Specifically, the features are covered in depth in the SECURE course content. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Josh Chamberlain Sent: Thursday, December 01, 2011 9:06 PM To: [email protected] Subject: [OSL | CCIE_RS] Arp Inspection and Source Guard Trying to get my head around these two features. The way I understand it: - DAI: applied per VLAN and used to prevent an evil host from poisoning your ARP cache and thus intercepting traffic on its way to the legit destination - SG: applied per port and used to prevent an evil host from spoofing an IP address and intercepting your traffic Both build off of the DHCP snooping database and provide a means of entering static information Configuration doesn't seem that difficult either, but what I can't quite grasp is when it would be best to use one over the other. While they're two different features that go about their goals in different ways, it seems to me they both achieve the same objective of preventing said evil host from getting your data. Or am I missing something? _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
