[c-nsp] Prevent "IP Spoofing" from inside of the network
Saku Ytti
saku+cisco-nsp at ytti.fi
Tue May 24 05:53:40 EDT 2005
On (2005-05-24 11:33 +0200), ricardo.jantarada at bnpparibas.com wrote:
> A few days ago, someone accidentally took the HSRP IP Address of the
> network.
> We usualy use DHCP protocol, for clients, to protect the network for this
> kind of problems, but sometimes we have to use Hard IP addresses for other
> diveses.
> I would like to protect this HSRP IP address to be use by someone else than
> my routers.
Basicly you can do this by forcing DHCP usage. Catalyst 3550 and up support
ip source guard which only allows ports with DHCP assigned address to
communicate. You might want to configure dynamic arp inspection to go with it.
--
++ytti
More information about the cisco-nsp
mailing list