[c-nsp] L2/DHCP protection
Jason Lixfeld
jason at lixfeld.ca
Thu May 31 10:00:49 EDT 2012
I'm serving some customers DHCP addresses off of a 4500R+E/SUP7L-E box, and I'm wondering what features other folks are using to prevent nefarious activities (rogue DHCP servers, spoofing, ARP poisoning, STP BPDUs, storms, etc.) from causing havoc when initiated from the customer side.
So far, I've built up a config that looks sorta like so:
!
interface GigabitEthernet1/1
switchport trunk allowed vlan 4001-4003
switchport mode trunk
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport port-security violation shutdown vlan
switchport port-security maximum 1 vlan
logging event link-status
logging event trunk-status
storm-control broadcast include multicast
storm-control broadcast level 1.00
storm-control action shutdown
storm-control action trap
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip verify source vlan dhcp-snooping port-security
ip dhcp snooping limit rate 1
ip dhcp snooping information option allow-untrusted
!
In addition to above, there was the 'port-type uni' feature on the ME3400 and 'switchport protected' feature on the 3550s that would prevent two customers on the same VLAN from being able to talk together. I can't seem to find their equivalent on the 4500. Do they exist?
Anything else anyone can think of that might be useful here, or anything that is redundant and useless?
Thanks in advance!
More information about the cisco-nsp
mailing list