deny unknown users

Chuck Anderson cra at WPI.EDU
Thu May 14 13:29:19 UTC 2009

On Thu, May 14, 2009 at 10:04:48AM +0700, winan888 at wrote:
> I need to deny unknown users who knows our LAN IP address to login to our
> LAN.. any body have solution for this?

Do your switches support DHCP Snooping?  If so, you could turn that on 
and only allow known-hosts to get an address via DHCP.  Combine that 
with Dynamic ARP Inspection and IP Source Guard, and maybe MAC Source 
Guard or MAC Security on each edge switch port.  It isn't perfect, 
because someone could spoof a known allowed MAC address, but it is 
pretty good without being as intrusive as 802.1x or captive portals.

More information about the dhcp-users mailing list