I know it is very easy to spoof an IP address from the outside of a network. How hard is it to spoof a MAC address or when you spoof the IP address are you spoofing the MAC address as well? I want to set up my 3524 switches to only allow specified MAC addresses through. The logistics are not a problem as we are a smaller company. I want to know would I be wasting my time gathering the MAC addresses and putting them in the switches if the MAC addresses can be as easily spoofed as an IP address.
MAC addresses can be as easily spoofed as IP, but the MAC address is rewritten for each link, unlike the IP addresses which are preserved end-to-end. So the spoofed MAC is only spoofed for the segment that its injected on, after that the packet is re-written by the networking gear (except for hubs, which are just backbones in a box).
I think it does. What your anwswer boils down to is that once the initial MAC address is spoofed it is a moot point because the switch would rewrite the packet with it's own MAC address and pass the packet along anyway therby bypassing any access list set up on the switch to stop unlisted MAC addresses from getting forwarded. Is this correct? If so, is there anyway to effectively stop an unauthorized packet at the switch level?
Yes, there is a way to do this. On the Catalyst 6XXX series (and I'm pretty sure its on other Cisco
switches like the 2900 series) you are looking for the "set port security ..." feature. I'll be the first to admit that I've never used the functionality, I just know that it exists, so check your documentation. It is supposed to allow you to configure some number of MAC addresses as "secure" or allowed on a port. My understanding is that if you hook up a device or spoof a MAC not on the allowed list for that port, the switch can disable the port. There is also some mode called "restricted" that I haven't a clue about...this stuff wasn't part of the CCNA exam ;-).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :