[c-nsp] L2 security features on ME3600

[Jason Lixfeld]

I’m looking into the ME3600s potential as an edge device in a managed service environment where we would be serving DHCP for customers hanging off of ‘access’ ports:  One customer on one port with each customer port in the same bridge-domain.

To cover the security side, I’m looking at implementing some of the more common L2 security features:  Dynamic ARP Inspection, DHCP Snooping and IP Source Guard.

DHCP snooping seems to be supported just fine, however I’m running up against some issues with DIA and ISG.

To prevent L2 cross-talk between customer ports in the same bridge-domain, I’m looking at making each ‘access’ port an EVC and use service instance split horizon.  This prevents the L2 cross-talk just fine, but it seems to have the side-effect of breaking DIA.  The docs suggest that DIA will only work on an ‘access’ port, which I assume to mean it will only work in the classic ‘switchport mode access’ configuration.  In an EVC environment, the switchport mode is trunk.  If this is in fact the case, then I’m left with using classic access ports, which prevents me from blocking L2 cross-talk since the ME3600s don’t support UNI port-type (in favour of EVCs).

Lastly, IP Source Guard seems to be a completely non-existant feature.  My goal here is to prevent a customer from throwing up a DHCP server on their port.  This presumably wouldn’t be a problem in an EVC/split-horizon configuration, but if I needed to drop EVCs in order to support DIA, I could use an ACL on the SVI to filter DHCP/BOOTP server packets on ingress.  The problem then is that I can’t prevent L2 cross-talk in classic access port mode.

So, in summary -

- Is ISG indeed a no-show on this platform (running 15.3(3)S2)?
- Is there a hook for DIA with EVC on this platform?
- If not, is there some other method of preventing L2 cross-talk between access ports in lieu of EVC/split-horizon?

Thanks for any insight.