Securing network with static arp
Hi guys. I am trying to secure my LAN a little by doing static arp entries. But I am not sure how to go about doing this... I have a gateway, and I have a seperate box that runs dhcpd. I would like to assign every machine an ip and only allow it to use that ip, therefore static dhcp entries, and static arp entries on the gateway.
1. But how do I prevent someone from picking an ip that nobody is using and assigning it manually?
2. I assigned a static arp entry by doing arp -i br0 -s 220.127.116.11 00:1F:E1:CC:2E:46, how do I remove it now? I used arp -d but now it just says:
? (18.104.22.168) at <incomplete> on br0
3. I would also like each machine to have a hostname/dns.. like machinex.local, where I can do forward and reverse dns lookups, how do I config this?
4. I know static arp can be fooled if someone just clones an allow mac.. is there anything else that I could use that is more secure for wired lan?
5. I have my gateway running rflow sending all data to ntop running on my dhcp box.. Ntop is kinda cryptic, is there anything easier to use? or something that is better in features? I would like to see how much bandwidth each local ip is using and possibly what protocols, like ntop already shows.