[c-nsp] Campus - Best Practices

Christophe Devriese Christophe.Devriese at eurid.eu
Wed Jun 28 08:33:43 EDT 2006


On Wednesday 28 June 2006 04:19, David West wrote:
> I've done a similar project using 2950-EI switches to feed about 8000
> apartments, here's a couple recommendations from that experience:
>
> ACLs on every user facing port
> -drop DHCP server replies, etc (helpful when somebody plugs the wrong side
> of the Linksys in)
>
> Definitely use VLANs to break up the broadcast domain
> -also gives you another layer 3 chokepoint for ACLs
>
> Look into DHCP snooping, dynamic ARP inspection (DAI) and IP source guard,
> they are great layer 2 security features
>
> You can also use "protected ports" which will only allow a protected mode
> port to talk to a promiscuous port (usually the router) or private VLANs,
> however this breaks pretty much all peer to peer type activity (if that's a
> problem) as no hosts can talk to other hosts on local subnet.

If you enable proxy-arp on the router this is not a problem. Also this allows 
you to ACL peer to peer connections (very helpful in case of virus).

Regards,

Christophe Devriese


More information about the cisco-nsp mailing list