[c-nsp] Equipment for a large-ish LAN event
Mikael Abrahamsson
swmike at swm.pp.se
Wed Dec 9 05:43:10 EST 2015
On Wed, 9 Dec 2015, Roland Dobbins wrote:
> On 9 Dec 2015, at 8:19, Laurent Dumont wrote:
>
>> arp-inspection
>
> DAI is a self-defeating misfeature which can result in a self-DoS of the
> switch. Don't enable it!
>
> DHCP Snooping and IP Source Guard are very useful anti-spoofing mechanisms,
> and should be enabled on the access ports.
>
> Also, Root Guard, Loop Guard, and BPDU-Guard should be enabled in a
> situationally-appropriate manner.
Don't forget to enable this for IPv6 as well. Potentially you could use
protocol based vlans and put each player port into its own /64 whch solves
most of the complexity and dynamic inspection stuff, you could even have
static ACLs on each subinterface/port if you want to.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the cisco-nsp
mailing list