Port security will help you when you want to ensure that particular mac
address is enter switch on particular port but not prevent user to
change ip address , statics arp is the most stupid part that most
administrators does becouse router never send arp request to see are
this device are there and blindly send traffic for this device
encapsulated with static mac that not exist in bridging tables and
this traffic is unknow unicast flooded accross the all switches
bridges :)) and all devices , impact can be vary on value of sended
traffic :)) , my suggestions is to use cisco multihost 802.1x
implementation or play with private vlans .
br,
CCNP Atanas Yankov
Network Administrator
AngelSoft Ltd.
Jon Otterholm wrote:
To prevent users from MAC-spoofing - buy a switch with some kind of
"port-security". If you could lock down a port to just one MAC and
have a static ARP on the router it would be pretty hard to spoof the
MAC-address. With another MAC than the one associated with the port
you simply will not be able to talk to anyone.
To take security one step further you could use some kind of RADIUS
authentication (MAC/user/computer/??).
Dlink 3526/3550 have these functions. In addition you could lock down
the switch so that "user-ports" only could talk to the uplink port and
never with each other.
And NO - I am not a Dlink employee, just a big fan.
/Jon
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
