I'm serving some customers DHCP addresses off of a 4500R+E/SUP7L-E box, and I'm wondering what features other folks are using to prevent nefarious activities (rogue DHCP servers, spoofing, ARP poisoning, STP BPDUs, storms, etc.) from causing havoc when initiated from the customer side.
So far, I've built up a config that looks sorta like so: ! interface GigabitEthernet1/1 switchport trunk allowed vlan 4001-4003 switchport mode trunk switchport nonegotiate switchport block multicast switchport block unicast switchport port-security violation shutdown vlan switchport port-security maximum 1 vlan logging event link-status logging event trunk-status storm-control broadcast include multicast storm-control broadcast level 1.00 storm-control action shutdown storm-control action trap no cdp enable spanning-tree bpdufilter enable spanning-tree bpduguard enable ip verify source vlan dhcp-snooping port-security ip dhcp snooping limit rate 1 ip dhcp snooping information option allow-untrusted ! In addition to above, there was the 'port-type uni' feature on the ME3400 and 'switchport protected' feature on the 3550s that would prevent two customers on the same VLAN from being able to talk together. I can't seem to find their equivalent on the 4500. Do they exist? Anything else anyone can think of that might be useful here, or anything that is redundant and useless? Thanks in advance! _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
