When DAI or IP source guard are enabled, the other traffic being inspected (ARP or IP) can also populate the IP address bindings table. With ARP inspection, the sender MAC and IP and target MAC and IP from the ARP payload are used to populate the bindings, as provided by the ARP request or reply. With IP inspection, the source MAC address and IP address are used in creating these bindings.
If a binding already exists for a user due to DHCP, and the lease time has not expired, the DHCP binding takes precedence and a violation is recorded, but the binding does not change. If there is an entry for the user in the multiauth session table and DHCP snooping has not provided a MAC to IP address binding table entry, the ARP or IP traffic can create the MAC to IP address binding table entry. This form of entry creation allows for the anti-spoofing feature to adapt to environments that are not on the edge or are not able to monitor and process all DHCP exchanges on the network for attached users.
Print
this page
Email this topic
Feedback
View PDF
Download EPUB