How do you keep users from stealing other user's ip??
Atanas Yankov
xds at LanGame.Net
Fri Mar 24 11:24:35 UTC 2006
Port security will help you when you want to ensure that particular mac
address is enter switch on particular port but not prevent user to
change ip address , statics arp is the most stupid part that most
administrators does becouse router never send arp request to see are
this device are there and blindly send traffic for this device
encapsulated with static mac that not exist in bridging tables and
this traffic is unknow unicast flooded accross the all switches
bridges :)) and all devices , impact can be vary on value of sended
traffic :)) , my suggestions is to use cisco multihost 802.1x
implementation or play with private vlans .
br,
CCNP Atanas Yankov
Network Administrator
AngelSoft Ltd.
Jon Otterholm wrote:
> To prevent users from MAC-spoofing - buy a switch with some kind of
> "port-security". If you could lock down a port to just one MAC and
> have a static ARP on the router it would be pretty hard to spoof the
> MAC-address. With another MAC than the one associated with the port
> you simply will not be able to talk to anyone.
> To take security one step further you could use some kind of RADIUS
> authentication (MAC/user/computer/??).
>
> Dlink 3526/3550 have these functions. In addition you could lock down
> the switch so that "user-ports" only could talk to the uplink port and
> never with each other.
>
>
> And NO - I am not a Dlink employee, just a big fan.
>
> /Jon
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
>
More information about the freebsd-net
mailing list