[c-nsp] L2/DHCP protection
Ryan West
rwest at zyedge.com
Thu May 31 10:19:49 EDT 2012
On May 31, 2012, at 10:01 AM, "Jason Lixfeld" <jason at lixfeld.ca> wrote:
> I'm serving some customers DHCP addresses off of a 4500R+E/SUP7L-E box, and I'm wondering what features other folks are using to prevent nefarious activities (rogue DHCP servers, spoofing, ARP poisoning, STP BPDUs, storms, etc.) from causing havoc when initiated from the customer side.
>
> So far, I've built up a config that looks sorta like so:
>
> !
> interface GigabitEthernet1/1
> switchport trunk allowed vlan 4001-4003
> switchport mode trunk
> switchport nonegotiate
> switchport block multicast
> switchport block unicast
> switchport port-security violation shutdown vlan
> switchport port-security maximum 1 vlan
> logging event link-status
> logging event trunk-status
> storm-control broadcast include multicast
> storm-control broadcast level 1.00
> storm-control action shutdown
> storm-control action trap
> no cdp enable
> spanning-tree bpdufilter enable
> spanning-tree bpduguard enable
> ip verify source vlan dhcp-snooping port-security
> ip dhcp snooping limit rate 1
> ip dhcp snooping information option allow-untrusted
> !
>
> In addition to above, there was the 'port-type uni' feature on the ME3400 and 'switchport protected' feature on the 3550s that would prevent two customers on the same VLAN from being able to talk together. I can't seem to find their equivalent on the 4500. Do they exist?
>
Private-vlan isolated to mimic switchport protected and DAI for your DHCP needs.
> Anything else anyone can think of that might be useful here, or anything that is redundant and useless?
>
> Thanks in advance!
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list