deny unknown users
cra at WPI.EDU
Thu May 14 13:29:19 UTC 2009
On Thu, May 14, 2009 at 10:04:48AM +0700, winan888 at cbn.net.id wrote:
> I need to deny unknown users who knows our LAN IP address to login to our
> LAN.. any body have solution for this?
Do your switches support DHCP Snooping? If so, you could turn that on
and only allow known-hosts to get an address via DHCP. Combine that
with Dynamic ARP Inspection and IP Source Guard, and maybe MAC Source
Guard or MAC Security on each edge switch port. It isn't perfect,
because someone could spoof a known allowed MAC address, but it is
pretty good without being as intrusive as 802.1x or captive portals.
More information about the dhcp-users