Preventing Mac Spoofing

simardeepsingh3 · ‎05-20-2013

Port Security is enabled on switch, hence random mac's are disabled. But what if an insider disconnect his company assigned PC and connect with his own laptop into the same port having spoofed mac address of PC. Is there a way to detect that employee is using his laptop and not PC?

paul driver · ‎05-20-2013

Hello

you can use Ip source guard or Dynamic Arp inspection (DAI)- Both work with DHCP snoopping

DAI - can also be used without DHCP snooping by specifiying static filters

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdhcp82.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdynarp.html

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paolo bevilacqua · ‎05-20-2013

pdriver wrote:
Hello
you can use Ip source guard or Dynamic Arp inspection (DAI)- Both work with DHCP snoopping
DAI - can also be used without DHCP snooping by  specifiying  static filters
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdhcp82.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdynarp.html

None of these will be effective against MAC spoofing.

paolo bevilacqua · ‎05-20-2013

No.

For real security, rely on application layer, not network.

paul driver · ‎05-20-2013

Hello Simardeep and CSC

Apologies for the misleading post - I interpreted your post incorrectly.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

antonio.guirado · ‎05-20-2013

Hello,

you need a NAC (Network Access Control). NAC is device that using a set of protocols allows controlling the network access. When a computer connects to a network, it is not permitted to access anything unless it complies with a business defined policy, including anti-virus protection level, system update level and configuration.

Regards.

simardeepsingh3 · ‎05-20-2013

Dear Antonio,

I think NAC will solve most of the problem by first ensuring that device confirm to the business policy. It will put it into a seperate VLAN. My doubts are:

1. Can an insider still confirm to these business defined policy in some way say antivirus update and system update?

2. After authentication, he will be able to use production environment. Is there a way to detect, that he is using his personal laptop and not assigned PC?

rgreville666 · ‎05-10-2014

There multiple ways of doing this.. most are listed below.

However if you want a quick and easy solution just run port-security, limit the MAC address on the interface and use the sticky feature. The sticky feature converts DYNAMIC mac addresses to STICKY and places the config in the running-config. If you reboot your device (without saving the config) the switch will re-learn and once again place into the running-config (after a reload). You can make it permanent by saving the config (copy running-config to startup-config)

This will force the port to only accept a certain number of known static macs.

As I said there’s multiple ways of doing this, this is just a quick and dirty way of nailing it up, here’s the commands you need;

Int X/X

switchport

switchport port-security

switchport port-security maximum X

switchport port-security mac-address sticky

Grev