Note: When I previously studied these security features, I had two misconceptions. First, that to use Dynamic ARP Inspection we must have DHCP Snooping enabled. It only needs to be enabled for IP Source Guard. DAI works without it, but only for static (and specified) addresses. Second, that creating static entries (assigning IP and MAC addresses) always requires a different method (for DHCP Snooping, IP Source Guard, and DAI). This is also not necessary; we can create static entries in DHCP Snooping and they will be used for IP Source Guard or Dynamic ARP Inspection.
Traffic Storm Control
A brief mention of the method that aims to prevent network congestion due to excessive broadcast, multicast, or unknown unicast traffic (traffic storm), which would lead to network performance degradation. We can set a certain threshold on the port, if exceeded, the specific type of traffic is discarded, or the port is shut down.
Link to one of the official documents Catalyst 2960 - Configuring Port-Based Traffic Control - Storm Control.
We set it either on the interface or Portchannel (in this case, it is set on the port-channel and not on individual ports). We can set the percentage of the total interface bandwidth (on some switches we can set it differently).
SWITCH(config-if)#storm-control broadcast level 10 SWITCH(config-if)#storm-control multicast level 10 SWITCH(config-if)#storm-control unicast level 10
Displaying Storm Control settings.
SWITCH#show storm-control Interface Filter State Upper Lower Current --------- ------------- ----------- ----------- ---------- Gi1/0/1 Forwarding 10.00% 10.00% 0.00%
Apparently, a newer version of IOS provides better information display.
SWITCH#show storm-control Key: U - Unicast, B - Broadcast, M - Multicast Interface Filter State Upper Lower Current Action Type --------- ------------- ----------- ----------- ---------- --------- ---- Gi1/0/1 Forwarding 10.00% 10.00% 0.00% None U Gi1/0/1 Forwarding 10.00% 10.00% 0.00% None B Gi1/0/1 Forwarding 10.00% 10.00% 0.00% None M
Logging
I did not simulate this situation, but I found the logged message in the documentation.
%STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Gi1/0/1. A packet filter action has been applied on the interface.
Port Security
Port Security is an extended method for securing ports and protecting against MAC Address Spoofing and MAC Address Flooding. It works by checking the MAC address in incoming frames and if it is different from the allowed one, it can discard the frame or shut down the port. If an attacker tries to replace the connected device with their own (without changing the MAC address), communication is prevented. This protection can be bypassed, but it is easy to use and provides some defense.
I described it more in Cisco IOS 3 - interface/port settings - access, trunk, port security. Link to one of the official documents Catalyst 2960 - Configuring Port-Based Traffic Control - Port Security.
Configuration is done per port (we can use range). We set how many MAC addresses can communicate (default is 1, the maximum depends on the maximum available addresses the system can handle), either using dynamic addresses, but it is better to set them manually or let them learn on first connection (sticky).
SWITCH(config-if)#switchport port-security mac-address sticky
We can specify the reaction to an unauthorized address, either shutting down the port (shutdown, default behavior), discarding unwanted traffic (protect), or discarding and sending an SNMP trap and syslog message (restrict).
SWITCH(config-if)#switchport port-security violation shutdown
Enabling Port Security is done on the port.
SWITCH(config-if)#switchport port-security
If the port switches to error-disabled state (reaction to shutdown), we turn it back on using the shutdown and no shutdown commands. Alternatively, we can use automatic re-enabling after a certain time with the command errdisable recovery cause psecure-violation.
We can easily list the ports where Port Security is enabled, how many addresses are allowed, and what the reaction to a violation is.
SWITCH#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi1/0/1 1 0 0 Shutdown
Logging
When we set up some security measures, the goal is to prevent unwanted communication. However, we will also likely be interested in knowing that such a situation has occurred. Therefore, it is good to send logs to a Syslog server (this is one of the options) and process certain messages. We need to know what is logged in which situation and possibly enable logging.
For Port Security, if we have violation set to protect, nothing is logged. If we have restrict or shutdown, the detection of an unauthorized MAC address is logged.
Oct 23 11:33:23: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 801a.0275.442a on port GigabitEthernet1/0/1.
If we have the shutdown reaction set, the port is shut down, and two records are created.
Oct 23 11:33:22: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down Oct 23 11:33:23: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
If we then display the port status, we see that it is in Error disabled state.
SWITCH#show interfaces Gi1/0/1 status Port Name Status Vlan Duplex Speed Type Gi1/0/1 1.10A err-disabled 100 auto auto 10/100/1000BaseT
DHCP Snooping
To prevent someone from running an unwanted DHCP server on our network, we can use the protective function DHCP Snooping. Once enabled for certain VLANs, it treats all ports as untrusted, and we set some as trusted (where the DHCP server is connected or the trunk port to other switches where assigned addresses can come from). Assigned addresses (generally DHCPOFFER, DHCPACK, DHCPNAK, and DHCPLEASEQUERY messages and some other situations) from DHCP can only come from trusted ports, otherwise, they are discarded on the switch.
I described it more in Cisco IOS 13 - DHCP services on the switch. Link to one of the official documents Catalyst 2960 - Configuring DHCP Features and IP Source Guard.
Note: For some situations, it is necessary to use DHCP option-82. This is not addressed here.
We globally enable DHCP Snooping and specify for which VLANs it should apply.
SWITCH(config)#ip dhcp snooping SWITCH(config)#ip dhcp snooping vlan 1-4094
We set some ports as trusted.
SWITCH(config-if)#ip dhcp snooping trust
We can display configuration information.
SWITCH#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 1-4094 DHCP snooping is operational on following VLANs: 1,100 DHCP snooping is configured on the following L3 Interfaces:
Or DHCP Snooping statistics.
SWITCH#show ip dhcp snooping statistics
Logging
If we enable DHCP Snooping, it drops untrusted messages. It also logs information about it, which may look like this (logs are from two different situations).
Jan 22 07:42:03: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: e006.e7ca.99fb, MAC sa: 3c97.0571.0af8 Jan 22 07:55:01: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPACK, MAC sa: 001c.a43b.041
DHCP Snooping Binding Database
In addition to this useful protection, DHCP Snooping, because it processes all DHCP messages, can create a DHCP Snooping Binding Database. This contains the assigned MAC addresses, IP addresses, VLAN, and interface, along with the lease time. The DB can contain a maximum of 8192 entries. This database is then used by other security features. And if DHCP is used, their use is very simple. In the article, we will look at these features mainly in cases where we use static addresses, so the configuration is more complex.
Entries (bindings) are stored in memory, so they are lost when the switch is restarted. We can use an agent that ensures they are saved to a file, and the entries are loaded upon restart. Enabling the DHCP Snooping Binding Database Agent is done by specifying where the database should be created/used. It can be locally on the switch (flash) or somewhere on the network.
SWITCH(config)#ip dhcp snooping database flash:/dhcpbind.txt SWITCH(config)#ip dhcp snooping database scp://10.0.0.50/dhcpbind.txt
Entries are created dynamically by analyzing DHCP messages, but we can also create them manually (and if we use static addresses, this is necessary). Among the data, we specify the expiration time, where the maximum value 4294967295 means infinite.
SWITCH#ip dhcp snooping binding 1234.abcd.1234 vlan 100 192.168.100.10 interface Gi1/0/1 expiry 4294967295
Note: I encountered a problem that only one entry can exist for one MAC address. If we want to add a second entry with a different IP address (the server has multiple IP addresses on one interface) or the same MAC and IP combination on another port (a virtual machine that can move in a cluster), it overwrites the original entry for the given MAC address.
We can list the entries in the database (both dynamic and statically assigned).
SWITCH#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 12:34:ab:cd:12:34 192.168.100.10 infinite dhcp-snooping 100 GigabitEthernet1/0/1 Total number of binding: 1
Or data and statistics.
SWITCH#show ip dhcp snooping database Agent URL : flash:/dhcpbind.txt Write delay Timer : 300 seconds Abort Timer : 300 seconds Agent Running : No Delay Timer Expiry : Not Running Abort Timer Expiry : Not Running Last Succeeded Time : 09:30:11 CEST Fri Sep 30 2016 Last Failed Time : None Last Failed Reason : No failure recorded. Total Attempts : 8 Startup Failures : 0 Successful Transfers : 8 Failed Transfers : 0 Successful Reads : 1 Failed Reads : 0 Successful Writes : 7 Failed Writes : 0 Media Failures : 0
IP Source Guard
One of the security features that uses the DHCP Snooping Binding Database is IP Source Guard. This feature really requires DHCP Snooping to be enabled for the VLAN on the given interface, otherwise it will not apply, even if we have statically defined entries (the output will show inactive-no-snooping-vlan). On the L2 port (PortChannel is not supported), where we set this function, an ACL is automatically applied, which filters traffic and allows only packets where the source IP address (or even MAC address) is from the Binding DB for this port. This prevents an attacker from using a different IP address.
Link to one of the official documents Catalyst 2960 - Configuring DHCP Features and IP Source Guard.
Configuration is done per port (similar to Port Security). If we use DHCP, this function is easy to use. We just enable it and it sets the check for source IP addresses.
SWITCH(config-if)#ip verify source
We can also set it to check source MAC addresses at the same time. The difference from Port Security is not entirely clear to me, as Port Security must be set on the given port, otherwise all MAC addresses are allowed (the output shows permit-all). But the MAC address value is not taken from Port Security, but from the entry in the database.
SWITCH(config-if)#ip verify source port-security
If we use static addresses, we must enter the entries manually. IP Source Guard takes values from the DHCP Snooping Binding Database, whether it is a dynamic value or manually entered (so we can insert static entries into this DB). We also have a special command that adds a static entry IP Source Bindings.
SWITCH(config)#ip source binding 1234.abcd.1235 vlan 100 192.168.100.20 interface Gi1/0/2
From the documentation (where it is stated that a static entry is entered with the command above), it was never very clear to me, and only practical tests helped me understand the difference between ip dhcp snooping binding and ip source binding. IP Source Guard uses entries from IP Source Bindings, which are based on the DHCP Snooping Binding Database (where dynamic and static entries are always identified as dhcp-snooping). And we can add additional static entries with the command above, which are not inserted into the DHCP Snooping Binding Database (and are identified as static).
An interesting difference is that DHCP Snooping Binding is entered in EXEC mode and the values are saved to memory/file, while IP Source Binding is entered in Config mode and saved to the running config. There is also a link between these methods, as the same entry cannot be created in both ways at the same time (probably because the values from DHCP Snooping Binding are transferred to IP Source Binding).
Just as we can list the contents of the DHCP Snooping Binding DB with the command show ip dhcp snooping binding, we have a command to list the IP Source Binding.
SWITCH#show ip source binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 12:34:ab:cd:12:34 192.168.100.10 infinite dhcp-snooping 100 GigabitEthernet1/0/1 12:34:ab:cd:12:35 192.168.100.20 infinite static 100 GigabitEthernet1/0/2 Total number of bindings: 2
Another option is to display the list of ports where IP Source Guard is set and the main data. Let's show a few examples. First, we have IPSG set on one port, but DHCP Snooping is not enabled for the given VLAN.
SWITCH#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------- ----------- ----------- --------------- ----------------- ---- Gi1/0/1 ip-mac inactive-no-snooping-vlan
We set up DHCP Snooping, but there is no entry in the Bindings and Port Security is not enabled (the client cannot communicate).
SWITCH#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------- ----------- ----------- --------------- ----------------- ---- Gi1/0/1 ip-mac active deny-all permit-all 100
When we enable Port Security on the port, the MAC address filtering changes.
SWITCH#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------- ----------- ----------- --------------- ----------------- ---- Gi1/0/1 ip-mac active deny-all deny-all 100
The last example is when we create a static entry (whether in DHCP Snooping or IP Source).
SWITCH#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------- ----------- ----------- --------------- ----------------- ---- Gi1/0/1 ip-mac active 192.168.100.10 12:34:ab:cd:12:34 100
Logging
Unfortunately, there is no (standard) logging for IP Source Guard.
IP Source Guard for Static Hosts
If we use statically defined addresses (and not DHCP), Cisco has an extension called IP Source Guard for Static Hosts. It is supposed to dynamically learn the addresses to allow up to the set maximum (until it learns, it blocks everything). In practice, this method did not work well for me (maybe I misunderstood it), there is nothing like the Sticky function in Port Security, so it keeps learning addresses repeatedly. When the client does not communicate for a short time, its entry is deleted, and when it starts communicating, the first packets are discarded, leading to outages. So, I see it as unusable in practice, but here is a mention of the configuration. Cisco states that this method should not be used on trunk ports.
First, we must globally enable tracking.
SWITCH(config)#ip device tracking
Then we set it on certain ports. It is done similarly to normal IPSG, and we can check only IP addresses or also MAC addresses.
SWITCH(config-if)#ip verify source tracking SWITCH(config-if)#ip verify source tracking port-security
We must also set the allowed number of addresses per port (default is 0 and blocks everything). The documentation states a maximum of 10, but at least in the configuration, a higher value can be set.
SWITCH(config-if)#ip device tracking maximum 1
Again, we can display data or learned addresses.
SWITCH#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------- ----------- ----------- --------------- ----------------- ---- Gi1/0/1 ip-mac trk active 192.168.100.10 12:34:ab:cd:12:34 100 SWITCH#show ip device tracking all Global IP Device Tracking for clients = Enabled Global IP Device Tracking Probe Count = 3 Global IP Device Tracking Probe Interval = 30 Global IP Device Tracking Probe Delay Interval = 0 ----------------------------------------------------------------------------------------------- IP Address MAC Address Vlan Interface Probe-Timeout State Source ----------------------------------------------------------------------------------------------- 192.168.100.10 1234.abcd.1234 100 GigabitEthernet1/0/1 30 ACTIVE ARP Total number interfaces enabled: 1 Enabled interfaces: Gi1/0/1
Dynamic ARP Inspection (DAI)
For ARP inspection (Address Resolution Protocol) and protection against ARP Poisoning, ARP Spoofing (assigning the wrong MAC address to an IP address), the technique Dynamic ARP Inspection is used. This is another method that uses the DHCP Snooping Binding Database. DAI monitors ARP traffic and checks if ARP frames are valid against the corresponding entries in the Binding DB. Invalid ones are discarded. For using DAI, DHCP Snooping does not need to be enabled, and practice has shown me that it takes values from both DHCP Snooping Binding and IP Source Binding.
This protection helps when someone tries to spoof their MAC address to someone else's IP address (e.g., for a Man-in-the-middle attack). Again, we can set some ports as trusted, where the check is not performed, and all other ports are considered untrusted. DAI also provides protection against DoS attacks by limiting the number of ARP frames per second on the interface (Rate Limiting), defaulting to 15.
I have already written about DAI in the article Common attacks on switches, Cisco Dynamic ARP Inspection and described the theory in more detail. Link to one of the official documents Catalyst 2960 - Configuring Dynamic ARP Inspection.
DAI is enabled globally per VLAN (and per switch) and is supported on Access ports, Trunk ports, and Portchannel.
SWITCH(config)#ip arp inspection vlan 100,200
Ports where we do not want to perform DAI are set as trusted. For example, uplinks to other switches, because otherwise, we would have to know all the bindings from neighboring switches (we will not discuss here when a security gap may arise).
SWITCH(config-if)#ip arp inspection trust
That is all that is needed for basic configuration. If we use DHCP, values are taken from the DHCP Binding DB. If we also have static addresses, we can manually enter them into the same DB, but static entries in the IP Source Binding DB will also be used.
For DAI, we have a new method to define static entries (we don't need to use DHCP Snooping at all). We can create an ARP ACL, where the required combinations of IP and MAC addresses are specified (we don't need to specify the port). This ACL is then applied for DAI. During evaluation, the ARP ACL is processed first, and only then the Binding DB may be used. Example of creating an ARP ACL.
SWITCH(config)#arp access-list ARPtest SWITCH(config-arp-acl)#permit ip host 192.168.100.10 mac host 1234.abcd.1234
Applying the ARP ACL within DAI for a specific VLAN.
SWITCH(config)#ip arp inspection filter ARPtest vlan 100
We can apply the ACL at the end with the keyword static, then DHCP bindings are not used, only entries from the ACL (evaluation ends with processing the ACL).
SWITCH(config)#ip arp inspection filter ARPtest vlan 100 static
Optionally, we can enable additional checks for incoming ARP packets, where the source MAC (src-mac), destination MAC (dst-mac), or source and destination IP (ip) are checked. The address in the Ethernet/IP header is compared with the ARP body.
SWITCH(config)#ip arp inspection validate src-mac
If we use DAI on a trunk port, we should carefully consider the Rate Limiting feature, which by default limits ARP messages to 15 per second. We can disable this protection if needed.
SWITCH(config-if)#ip arp inspection limit none
We display the main overview of settings and DAI statistics.
SWITCH#show ip arp inspection Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan Configuration Operation ACL Match Static ACL ---- ------------- --------- --------- ---------- 100 Enabled Active Vlan ACL Logging DHCP Logging Probe Logging ---- ----------- ------------ ------------- 100 Deny Deny Off Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- --------- 100 227 33 33 0 Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures ---- ------------- ----------- ------------- ------------------- 100 227 0 0 0 Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data ---- ----------------- ---------------------- --------------------- 100 0 0 0
Other options for checking DAI settings and displaying statistics.
SWITCH#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval --------------- ----------- ---------- -------------- Gi1/0/1 Trusted None N/A Gi1/0/2 Untrusted 15 1 SWITCH#show ip arp inspection vlan 100 Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan Configuration Operation ACL Match Static ACL ---- ------------- --------- --------- ---------- 100 Enabled Active Vlan ACL Logging DHCP Logging Probe Logging ---- ----------- ------------ ------------- 100 Deny Deny Permit SWITCH#show ip arp inspection statistics vlan 100 Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- --------- 100 7671 359 310 49 Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures ---- ------------ ----------- ------------- ------------------- 100 3399 4257 15 0 Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data ---- ----------------- ---------------------- --------------------- 100 0 0 0
Logging
Logging for DAI is much more sophisticated, and we can configure many things. When the switch drops a packet, it saves a record in the logging buffer and then, according to configured values (we can set the buffer size and the number of messages per second), it logs the record to the system log (this is a protection against flooding) and removes the message from the buffer. A common log entry might look like this.
Oct 25 09:04:00: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/1, vlan 100.([1234.abcd.1234/192.168.100.10/ 0000.0000.0000/10.0.0.50/09:03:59 CEST Tue Oct 25 2016])
If we use ARP ACL, the message looks a bit different.
Oct 25 12:42:03: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Gi1/0/1, vlan 100.([ 1234.abcd.1234/192.168.100.10/0000.0000. 0000/10.0.0.50/12:42:02 CEST Tue Oct 25 2016])
We can set the size of the logging buffer, i.e., how many messages it can hold (default is 32).
SWITCH(config)#ip arp inspection log-buffer entries 100
We can also set how many messages (0 means no system message is created) over what period (0 means it is immediately logged to the system log) will generate a system message (default is 5 messages per 1 second).
SWITCH(config)#ip arp inspection log-buffer logs 10 interval 5
We can display the contents of the logging buffer (including its settings), although it usually empties very quickly.
SWITCH#show ip arp inspection log Total Log Buffer Size : 32 Syslog rate : 5 entries per 1 second. Interface Vlan Sender MAC Sender IP Num Pkts Reason Time ---------- ---- -------------- --------------- --------- ------------ ---- Gi1/0/1 100 1234.abcd.1234 0.0.0.0 1 Probe Permit 15:19:54 CET Wed Nov 2 2016
By default, all denied/dropped packets are logged, but we can set additional logging for each VLAN where DAI is set. Logging ARP Probe packets, where the source IP address is zero.
SWITCH(config)#ip arp inspection vlan 100 logging arp-probe
Logging all packets that match DHCP bindings (all) or allowed according to DHCP bindings (permit).
SWITCH(config)#ip arp inspection vlan 100 logging dhcp-bindings all
If we use ARP ACL, we can enable logging according to the settings in this ACL (based on the log keyword in the rules).
SWITCH(config)#ip arp inspection vlan 100 logging acl-match matchlog
If we enable any of the extended logging, the status will be displayed in the show ip arp inspection output under the items ACL Logging, DHCP Logging, or Probe Logging.
Comprehensive Configuration Example
If we decide to use security mechanisms, we can enable them all. Here is an example of global settings.
SWITCH(config)#ip dhcp snooping vlan 1-4094 SWITCH(config)#ip dhcp snooping database flash:/dhcpbind.txt SWITCH(config)#ip dhcp snooping SWITCH#ip dhcp snooping binding 1234.abcd.1234 vlan 100 192.168.100.10 interface Gi1/0/1 expiry 4294967295 SWITCH(config)#ip arp inspection vlan 100
Configuration of an access port where the client is connected.
SWITCH(config)#interface GigabitEthernet1/0/1 SWITCH(config-if)#description Client SWITCH(config-if)#switchport access vlan 100 SWITCH(config-if)#switchport mode access SWITCH(config-if)#switchport port-security mac-address sticky SWITCH(config-if)#switchport port-security SWITCH(config-if)#storm-control broadcast level 10 SWITCH(config-if)#storm-control multicast level 10 SWITCH(config-if)#spanning-tree portfast SWITCH(config-if)#ip verify source port-security
Configuration of a trunk port, which is an uplink to the central switch.
SWITCH(config)#interface GigabitEthernet1/0/45 SWITCH(config-if)#description Uplink SWITCH(config-if)#switchport trunk allowed vlan 100,200 SWITCH(config-if)#switchport trunk encapsulation dot1q SWITCH(config-if)#switchport mode trunk SWITCH(config-if)#switchport nonegotiate SWITCH(config-if)#storm-control broadcast level 10 SWITCH(config-if)#storm-control multicast level 10 SWITCH(config-if)#ip dhcp snooping trust SWITCH(config-if)#ip arp inspection trust
Opět vynikající článek. Díky za něj.
Měl bych dotaz: fungovalo vám v praxi IPSG nastaveno příkazem "ip verify source port-security" společně s Port security (switchport port-security, bez sticky, restrict)? Já jsem vždy skončil s tím, že "show ip verify source" ukázalo na daném portu denny-all pro IP i MAC, takže klient samozřejmě nemohl komunikovat. Při delším googlení jsem narazil, na vysvětlení [1,2], že Port security a IPSG používají jinou metodu učení zdrojové MAC a dále, že je potřeba si "pohrát" s nastavením DHCP Option 82 v globálním nastavení switche. Žádný hodnotný závěr jsem z toho ale nevyvodil.
Dodávám, že DAI i DHCP Snooping bylo zapnuto a nepoužíváme statické IP.
[1] http://blog.brokennetwork.ca/2011/09/dhcp-based-security-part-2-ip-source.html
[2] https://bdwyertech.net/2016/03/02/switch-security-dhcp-snooping-ip-source-guard-and-dynamic-arp-inspection-2/
respond to [1]Ondřej Doležal: Já jsem celé toto zabezpečení používal pouze pro statické adresy (bez DHCP), takže jsem nemusel řešit DHCP Option 82. A IPSG jsem použil pouze s Port Security Sticky. Takže takové zkušenosti nemám.