On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote: > On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote: > > Particularly good L2 switches also have > > DAI or "IP Source guard" IPv4 functions, which when properly > > enabled, can foil certain L2 ARP and IPv4 source address spoofing > > attacks, respectively. > > > > > e.g. Source IP address of packet does not match one of the DHCP leases > > issued to that port -- then drop the packet. > > > > Meh... I can see many cases where that might be more of a bug than feature. > > Especially in environments where loops may be possible and the DHCP lease > might > have come over a different path than the port in question during some network > event.
You're only supposed to use those features on the port directly connected to the end-system, or to a few end-systems via an unmanaged office switch that doesn't have redundant uplinks. I.e. edge ports.
