First it is important to level set with customers that Profiling is NOT authenticated identity.
Spoofing endpoint attributes is primarily a matter of determination. I can spoof MAC, IP, DHCP, CDP, LLDP, SNMP, and even responses to port scans. There needs to be a balance between controls implemented and risk.
If trying to thwart a curious or even somewhat malicious user, then basic controls may be sufficient. To truly detect a savvy attacker, then there needs to be a layered approach including port security (to enforce DHCP clients and ARP inspection and prevent rogue DHCP), NAC, and upwards to network traffic analysis (for example, StealthWatch to check for anomalous activity), IDS/IPS, DNS inspection, Firewalls to block backdoor channels, etc.
Another basic rule is to always to implement a policy of least privileges. For example, if classified as a Phone, then only permit phone things. This may be a narrow policy based on well-known phone protocols such as SIP, but may expand into other applications due to the advanced integration with IP Telephony systems including video and collaboration apps. It should still be reasonable to lock down phones and printers to NOT have access to critical portions of data center, or blind internet access. The point here is that if a determined attacker does successfully spoof an IoT endpoint, then don't offer them free access to the crown jewels!
And when customer again returns to the question of best way to prevent MAC Spoofing, you can promptly return to Item #1: Authentication! Yes, there is a proven solution but everyone is looking for any easy button via non-deterministic technologies.
$.02, Craig
