One.
Prevent MAC address Spoofing, you can enable "port security" on the switch, forged MAC address will cause the security port to enter the Errordisable state
Two.
Prevents IP address spoofing, enabling "DHCP snooping" globally on the switch
IP spoofing is mainly to forge the source address of the IP packet, the destination address sends the loopback packet into the network segment of the spoofed IP, the router will reseal the data frame, at this time must know the correspondence of the Ip-mac address, and "DHCP snooping" to ensure that the Ip-mac address of the correct correspondence, So the response packet is returned to the real terminal.
At this point, the attack side (poison side) is sent to send data, but no response data
When the virus spreads, you can find the attack side
The attack side, no data sent, but received a constant response
In the case of virus propagation, you can temporarily increase the Deny rule on the host firewall, or add DENY-ACL statement on the switch port to prevent the DDoS attack
Prevention of "IP spoofing"