On May 31, 2012, at 10:01 AM, "Jason Lixfeld" <[email protected]> wrote:
> I'm serving some customers DHCP addresses off of a 4500R+E/SUP7L-E box, and > I'm wondering what features other folks are using to prevent nefarious > activities (rogue DHCP servers, spoofing, ARP poisoning, STP BPDUs, storms, > etc.) from causing havoc when initiated from the customer side. > > So far, I've built up a config that looks sorta like so: > > ! > interface GigabitEthernet1/1 > switchport trunk allowed vlan 4001-4003 > switchport mode trunk > switchport nonegotiate > switchport block multicast > switchport block unicast > switchport port-security violation shutdown vlan > switchport port-security maximum 1 vlan > logging event link-status > logging event trunk-status > storm-control broadcast include multicast > storm-control broadcast level 1.00 > storm-control action shutdown > storm-control action trap > no cdp enable > spanning-tree bpdufilter enable > spanning-tree bpduguard enable > ip verify source vlan dhcp-snooping port-security > ip dhcp snooping limit rate 1 > ip dhcp snooping information option allow-untrusted > ! > > In addition to above, there was the 'port-type uni' feature on the ME3400 and > 'switchport protected' feature on the 3550s that would prevent two customers > on the same VLAN from being able to talk together. I can't seem to find > their equivalent on the 4500. Do they exist? > Private-vlan isolated to mimic switchport protected and DAI for your DHCP needs. > Anything else anyone can think of that might be useful here, or anything that > is redundant and useless? > > Thanks in advance! > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
