[c-nsp] against arp spoofing

Gert Doering gert at greenie.muc.de
Sat May 28 15:05:22 EDT 2005


Hi,

On Sat, May 28, 2005 at 08:54:38PM +0200, Gert Doering wrote:
> There are some features in the newer Cisco switches that can achieve
> this (by snooping DHCP packets, and permitting only IPs and MACs that
> are "permitted by DHCP"), but that's something on top of pVLANs - not
> something they bring in by default, and not something that helps you
> much if you don't use DHCP for IP assignment.

Well, for the sake of completeness.  The feature is called 
"ip source guard", and is available on switchports (not routed-ports)
on about all recent catalyst platforms.

It works by snooping DHCP, or by pre-assigning static MAC <-> IP bindings
(which is a lot of work and needs to updated every time a customer 
changes his machine, network card, whatever).

We'll stick to "one VLAN per customer".

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the cisco-nsp mailing list