cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17112
Views
0
Helpful
7
Replies
simardeepsingh3
Beginner

Preventing Mac Spoofing

Port Security is enabled on switch, hence random mac's are disabled. But what if an insider disconnect his company assigned PC and connect with his own laptop into the same port having spoofed mac address of PC. Is there a way to detect that employee is using his laptop and not PC?

7 REPLIES 7
paul driver
VIP Expert

Hello

you can use Ip source guard or Dynamic Arp inspection (DAI)- Both work with DHCP snoopping

DAI - can also be used without DHCP snooping by  specifiying  static filters

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdhcp82.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdynarp.html

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

pdriver wrote:

Hello

you can use Ip source guard or Dynamic Arp inspection (DAI)- Both work with DHCP snoopping

DAI - can also be used without DHCP snooping by  specifiying  static filters

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdhcp82.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdynarp.html

None of these will be effective against MAC spoofing.

paolo bevilacqua
Hall of Fame Master

No.

For real security, rely on application layer, not network.


Hello Simardeep and CSC

Apologies for the misleading post - I interpreted your post incorrectly.

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
antonio.guirado
Participant

Hello,

you need a NAC (Network Access Control). NAC is device that using a set of protocols allows controlling the network access. When a computer connects to a network, it is not permitted to access anything unless it complies with a business defined policy, including anti-virus protection level, system update level and configuration.

Regards.

Dear Antonio,

I think NAC will solve most of the problem by first ensuring that device confirm to the business policy. It will put it into a seperate VLAN. My doubts are:

1. Can an insider still confirm to these business defined policy in some way say antivirus update and system update?

2. After authentication, he will be able to use production environment. Is there a way to detect, that he is using his personal laptop and not assigned PC?

rgreville666
Beginner

There multiple ways of doing this.. most are listed below.

However if you want a quick and easy solution just run port-security, limit the MAC address on the interface and use the sticky feature. The sticky feature converts DYNAMIC mac addresses to STICKY and places the config in the running-config. If you reboot your device (without saving the config) the switch will re-learn and once again place into the running-config (after a reload). You can make it permanent by saving the config (copy running-config to startup-config)

This will force the port to only accept a certain number of known static macs.

As I said there’s multiple ways of doing this, this is just a quick and dirty way of nailing it up, here’s the commands you need;

 

Int X/X

switchport

switchport port-security

switchport port-security maximum X

switchport port-security mac-address sticky

 

Grev