[c-nsp] list wisdom please, Cisco switches
Nick Hilliard
nick at foobar.org
Tue Jan 15 17:09:06 EST 2013
On 15/01/2013 19:43, Blake Dunlap wrote:
> Yeah that's the reason. Its not about talking to one another, its about
> protecting from attacks that could allow snooping on traffic flows, to
> hijacking.
This is mildly troublesome. What you really want in your switch is:
- dhcp option 82 support
- dhcp snooping
- DAI
- port security
- urpf on first hop
- RA guard / dhcpv6 snooping / ND guard if you're providing ipv6
- broadcast / multicast storm control
- lan broadcast segmentation for session hijack protection
- common L2 domain for public IP address assignment efficiency
note that the last two cannot easily be achieved without per-port dhcp
filtering.
Nick
More information about the cisco-nsp
mailing list