[c-nsp] against arp spoofing
Gert Doering
gert at greenie.muc.de
Sat May 28 15:05:22 EDT 2005
Hi,
On Sat, May 28, 2005 at 08:54:38PM +0200, Gert Doering wrote:
> There are some features in the newer Cisco switches that can achieve
> this (by snooping DHCP packets, and permitting only IPs and MACs that
> are "permitted by DHCP"), but that's something on top of pVLANs - not
> something they bring in by default, and not something that helps you
> much if you don't use DHCP for IP assignment.
Well, for the sake of completeness. The feature is called
"ip source guard", and is available on switchports (not routed-ports)
on about all recent catalyst platforms.
It works by snooping DHCP, or by pre-assigning static MAC <-> IP bindings
(which is a lot of work and needs to updated every time a customer
changes his machine, network card, whatever).
We'll stick to "one VLAN per customer".
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list