[c-nsp] list wisdom please, Cisco switches
Mattias Gyllenvarg
Mattias.Gyllenvarg at bredband2.se
Wed Jan 16 01:40:20 EST 2013
Added arp inspection too your list.
- dhcp option 82 support
- dhcp snooping
- DAI
- port security
- urpf on first hop
- RA guard / dhcpv6 snooping / ND guard if you're providing ipv6
- broadcast / multicast storm control
- lan broadcast segmentation for session hijack protection
- common L2 domain for public IP address assignment efficiency
- ip arp inspection vlan <vlan-id>
On 15 January 2013 23:09, Nick Hilliard <nick at foobar.org> wrote:
> On 15/01/2013 19:43, Blake Dunlap wrote:
> > Yeah that's the reason. Its not about talking to one another, its about
> > protecting from attacks that could allow snooping on traffic flows, to
> > hijacking.
>
> This is mildly troublesome. What you really want in your switch is:
>
> - dhcp option 82 support
> - dhcp snooping
> - DAI
> - port security
> - urpf on first hop
> - RA guard / dhcpv6 snooping / ND guard if you're providing ipv6
> - broadcast / multicast storm control
> - lan broadcast segmentation for session hijack protection
> - common L2 domain for public IP address assignment efficiency
>
> note that the last two cannot easily be achieved without per-port dhcp
> filtering.
>
> Nick
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
*Med Vänliga Hälsningar - Best Regards*
*Mattias Gyllenvarg*
*Nätutveckling*
Bredband2
Tel: +46 406219712
More information about the cisco-nsp
mailing list