Link to home
Start Free TrialLog in
Avatar of anishpeter
anishpeterFlag for India

asked on

prevent MAC address Spoofing

hi.. All,
every one know MAC address spoofing is great threat. How this can be prevented in Cisco and Noretel ERS.  I know this can be done with802.1X Authentication. But any other workaround like DHCP Snooping, Dynamic ARP Inspection etc.

Thanks,
Peter
ASKER CERTIFIED SOLUTION
Avatar of joelvp
joelvp
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of anishpeter

ASKER

Hi..joelvp,
   I agree with you. But Let say I have my MAC address and IP address that I got from DHCP Server, in DHCP Snooping table. If I am offline an someone else is putting my IP as static in his system and changing his mac to my MAC address using Spoofing tools, will he be able to access network and do what ever can do with my credencials?

Thanks,
Peter
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi..joelvp,
Ok. I agree. I found evnthough DAI and IP souce guard is working in diffrent ways, DAI can also prevent IP soofing. Can You agree? Then what is need for IP souce guard.
 Also I can see DHCP Snooping database is built up when ever one computer is swicthed on. That what is the use of saving Snooping database to TFTP?

Thanks,
Peter
Avatar of madunix
madunix

implementing port security good be an option
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/port_sec.htm.
you could allow only 1 mac address per port and enable DHCP snooping globally and on each interface...
Hi.. madunix,
    I once implimented port security and reverted back. The main problem I faced is the users working from different seats. Laptop users sometimes go to meeting rooms and work from other places. The overhead of administration became very heavy. So now i plan to impliment DHCP snooping, DAI and IP souce guard.
This is my finding. Eventhough DAI and IP souce guard is working in diffrent ways, DAI can also prevent IP soofing. Can You agree? Then what is need for IP souce guard.
 Also I can see DHCP Snooping database is built up when ever one computer is swicthed on. That what is the use of saving Snooping database to TFTP?"

Thanks,
Peter
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi.. joelvp,
  I was trying to save database to a file in flash. it is saved but not loaded automatically upon reboot. Any idea?
I have some unmanaged 8 port switches, which is connected to a single port of Managed cisco swicth, where snooping,DAIand Ip souce guard configured. Only one machine is getting IP from DHCp and its address populated in Snooping databse. what I do to get access for other mechines?

Thanks,
Peter
Hi Peter, not sure about your saving to flash. Was the config saved properly? Maybe refer to it as disk0 or flash? Maybe ask this in another question. About the unmanaged switch, I dont think this is possible. Behind an untrusted port, you can have only one dhcp client.