I guess what I'm most unsure of is what DAI does for you that source guard with "port-security" doesn't?
On Fri, Dec 2, 2011 at 5:57 PM, Anthony Sequeira < [email protected]> wrote: > It sounds like you pretty well have it. Keep in mind they feed off the > DHCP Snooping info only if you are using them dynamically with that > database. It is conceivable that you could statically seed them with the > information they need - that would be a very small, very secure environment > I presume! > > Yes - they are all about antispoofing. One focusing on Layer 2 addressing > and the other focusing on Layer 3. > > As you know these features - along with DHCP Snooping - are specifically > enumerated on the Expansion Blueprint from Cisco and should be studied in > depth. I am sure the IPexpert R&S stuff does - as well as the CCNP Security > stuff. Specifically, the features are covered in depth in the SECURE course > content. > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Josh Chamberlain > Sent: Thursday, December 01, 2011 9:06 PM > To: [email protected] > Subject: [OSL | CCIE_RS] Arp Inspection and Source Guard > > Trying to get my head around these two features. The way I understand it: > > - DAI: applied per VLAN and used to prevent an evil host from poisoning > your ARP cache and thus intercepting traffic on its way to the legit > destination > - SG: applied per port and used to prevent an evil host from spoofing an > IP address and intercepting your traffic Both build off of the DHCP > snooping database and provide a means of entering static information > > Configuration doesn't seem that difficult either, but what I can't quite > grasp is when it would be best to use one over the other. While they're two > different features that go about their goals in different ways, it seems to > me they both achieve the same objective of preventing said evil host from > getting your data. > > Or am I missing something? > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > http://onlinestudylist.com/mailman/listinfo/ccie_rs > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
