anishpeter
asked on
prevent MAC address Spoofing
hi.. All,
every one know MAC address spoofing is great threat. How this can be prevented in Cisco and Noretel ERS. I know this can be done with802.1X Authentication. But any other workaround like DHCP Snooping, Dynamic ARP Inspection etc.
Thanks,
Peter
every one know MAC address spoofing is great threat. How this can be prevented in Cisco and Noretel ERS. I know this can be done with802.1X Authentication. But any other workaround like DHCP Snooping, Dynamic ARP Inspection etc.
Thanks,
Peter
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi..joelvp,
Ok. I agree. I found evnthough DAI and IP souce guard is working in diffrent ways, DAI can also prevent IP soofing. Can You agree? Then what is need for IP souce guard.
Also I can see DHCP Snooping database is built up when ever one computer is swicthed on. That what is the use of saving Snooping database to TFTP?
Thanks,
Peter
Ok. I agree. I found evnthough DAI and IP souce guard is working in diffrent ways, DAI can also prevent IP soofing. Can You agree? Then what is need for IP souce guard.
Also I can see DHCP Snooping database is built up when ever one computer is swicthed on. That what is the use of saving Snooping database to TFTP?
Thanks,
Peter
implementing port security good be an option
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/port_sec.htm.
you could allow only 1 mac address per port and enable DHCP snooping globally and on each interface...
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/port_sec.htm.
you could allow only 1 mac address per port and enable DHCP snooping globally and on each interface...
ASKER
Hi.. madunix,
I once implimented port security and reverted back. The main problem I faced is the users working from different seats. Laptop users sometimes go to meeting rooms and work from other places. The overhead of administration became very heavy. So now i plan to impliment DHCP snooping, DAI and IP souce guard.
This is my finding. Eventhough DAI and IP souce guard is working in diffrent ways, DAI can also prevent IP soofing. Can You agree? Then what is need for IP souce guard.
Also I can see DHCP Snooping database is built up when ever one computer is swicthed on. That what is the use of saving Snooping database to TFTP?"
Thanks,
Peter
I once implimented port security and reverted back. The main problem I faced is the users working from different seats. Laptop users sometimes go to meeting rooms and work from other places. The overhead of administration became very heavy. So now i plan to impliment DHCP snooping, DAI and IP souce guard.
This is my finding. Eventhough DAI and IP souce guard is working in diffrent ways, DAI can also prevent IP soofing. Can You agree? Then what is need for IP souce guard.
Also I can see DHCP Snooping database is built up when ever one computer is swicthed on. That what is the use of saving Snooping database to TFTP?"
Thanks,
Peter
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi.. joelvp,
I was trying to save database to a file in flash. it is saved but not loaded automatically upon reboot. Any idea?
I have some unmanaged 8 port switches, which is connected to a single port of Managed cisco swicth, where snooping,DAIand Ip souce guard configured. Only one machine is getting IP from DHCp and its address populated in Snooping databse. what I do to get access for other mechines?
Thanks,
Peter
I was trying to save database to a file in flash. it is saved but not loaded automatically upon reboot. Any idea?
I have some unmanaged 8 port switches, which is connected to a single port of Managed cisco swicth, where snooping,DAIand Ip souce guard configured. Only one machine is getting IP from DHCp and its address populated in Snooping databse. what I do to get access for other mechines?
Thanks,
Peter
Hi Peter, not sure about your saving to flash. Was the config saved properly? Maybe refer to it as disk0 or flash? Maybe ask this in another question. About the unmanaged switch, I dont think this is possible. Behind an untrusted port, you can have only one dhcp client.
ASKER
I agree with you. But Let say I have my MAC address and IP address that I got from DHCP Server, in DHCP Snooping table. If I am offline an someone else is putting my IP as static in his system and changing his mac to my MAC address using Spoofing tools, will he be able to access network and do what ever can do with my credencials?
Thanks,
Peter