[c-nsp] against arp spoofing
John Edwards
isplist at adam.com.au
Sun May 29 21:23:04 EDT 2005
Gert Doering wrote:
> There are some features in the newer Cisco switches that can achieve
> this (by snooping DHCP packets, and permitting only IPs and MACs that
> are "permitted by DHCP"), but that's something on top of pVLANs - not
> something they bring in by default, and not something that helps you
> much if you don't use DHCP for IP assignment.
The Ericsson ethernet DSLAM products use this and go one better by
providing a 'virtual mac address' option that does a kind of 1:1
per-port NAT for layer 2. This appears to me to be a very effective way
of dealing with the problem of mac address spoofing and untrusted devices.
John Edwards
More information about the cisco-nsp
mailing list