Chapter Intro
Chapter 8 of the CCNA 200-301 Official Cert Guide, Volume 2 discussed two topics related by their overall goals and because of their mechanisms. Both features help secure a network by protecting common protocols against attacks meant to take advantage of those protocols. They are:
- DHCP Snooping
- Dynamic ARP Inspection
Normally, a switch would forward DHCP messages sent by the attached devices, ignoring the fact that some Ethernet frame happened to encapsulate a DHCP message. DHCP Snooping causes the switch to examine the DHCP details, collect data, and make choices. Those choices include filtering DHCP messages that appear to be part of a DHCP-based attack.
A switch configured to use DAI follows a similar process with ARP messages sent by attached devices. The switch would normally forward those Ethernet frames that happened to encapsulate an ARP message, ignoring the ARP details. DAI causes the switch to examine the detail of ARP messages that it forwards. DAI uses a table that lists the legitimate IP address/MAC address pairs, filtering ARP messages that do not conform to that list. DAI uses two types of lists: one statically configured with an ARP ACL, and the other dynamically learned with the DHCP Snooping feature. So it makes sense to learn about DAI and DHCP Snooping at the same time.
Let me tell You a sad story ! There are no comments yet, but You can be first one to comment this article.
Write a comment