Alan DeKok wrote:
Richard Pruss wrote:
It is common practice to control network access to via DHCP, source
address verification in first hop switches and ARP table protections are
based on snooping DHCP.
To "try" to control network access. As was pointed out in the
referenced article:
... a theme for the DHCP community pretty much since day one, is that
you *can't* control access to the network using the DHCP protocol.
As for what is common practice, it is common practice to try to design
good solutions when existing common practices demonstrate their
shortcomings.
No Allan, we are not "try"ing to control network access, we do control
network access based on DHCP on all Cisco switches.
IP source guard - for upstream traffic
Initially, all IP traffic on the port is blocked except for DHCP packets
that are captured by the DHCP snooping process. When a client receives a
valid IP address from the DHCP server, or when a static IP source
binding is configured by the user, a per-port and VLAN Access Control
List (PVACL) is installed on the port. This process restricts the client
IP traffic to those source IP addresses configured in the binding; any
IP traffic with a source IP address other than that in the IP source
binding will be filtered out. This filtering limits a host's ability to
attack the network by claiming a neighbor host's IP address.
You can read more about source guard on the Cisco web site or if you
want to catch up a little about what the security messure commonly
deployed on layer 2 networks you can have a look at the SAFE blueprint:
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml
Regards,
Ric
Alan DeKok.
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
