Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

L2/DHCP protection

 

 

Cisco nsp RSS feed   Index | Next | Previous | View Threaded


jason at lixfeld

May 31, 2012, 7:00 AM

Post #1 of 2 (462 views)
Permalink
L2/DHCP protection

I'm serving some customers DHCP addresses off of a 4500R+E/SUP7L-E box, and I'm wondering what features other folks are using to prevent nefarious activities (rogue DHCP servers, spoofing, ARP poisoning, STP BPDUs, storms, etc.) from causing havoc when initiated from the customer side.

So far, I've built up a config that looks sorta like so:

!
interface GigabitEthernet1/1
switchport trunk allowed vlan 4001-4003
switchport mode trunk
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport port-security violation shutdown vlan
switchport port-security maximum 1 vlan
logging event link-status
logging event trunk-status
storm-control broadcast include multicast
storm-control broadcast level 1.00
storm-control action shutdown
storm-control action trap
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip verify source vlan dhcp-snooping port-security
ip dhcp snooping limit rate 1
ip dhcp snooping information option allow-untrusted
!

In addition to above, there was the 'port-type uni' feature on the ME3400 and 'switchport protected' feature on the 3550s that would prevent two customers on the same VLAN from being able to talk together. I can't seem to find their equivalent on the 4500. Do they exist?

Anything else anyone can think of that might be useful here, or anything that is redundant and useless?

Thanks in advance!
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


rwest at zyedge

May 31, 2012, 7:19 AM

Post #2 of 2 (431 views)
Permalink
Re: L2/DHCP protection [In reply to]

On May 31, 2012, at 10:01 AM, "Jason Lixfeld" <jason [at] lixfeld> wrote:

> I'm serving some customers DHCP addresses off of a 4500R+E/SUP7L-E box, and I'm wondering what features other folks are using to prevent nefarious activities (rogue DHCP servers, spoofing, ARP poisoning, STP BPDUs, storms, etc.) from causing havoc when initiated from the customer side.
>
> So far, I've built up a config that looks sorta like so:
>
> !
> interface GigabitEthernet1/1
> switchport trunk allowed vlan 4001-4003
> switchport mode trunk
> switchport nonegotiate
> switchport block multicast
> switchport block unicast
> switchport port-security violation shutdown vlan
> switchport port-security maximum 1 vlan
> logging event link-status
> logging event trunk-status
> storm-control broadcast include multicast
> storm-control broadcast level 1.00
> storm-control action shutdown
> storm-control action trap
> no cdp enable
> spanning-tree bpdufilter enable
> spanning-tree bpduguard enable
> ip verify source vlan dhcp-snooping port-security
> ip dhcp snooping limit rate 1
> ip dhcp snooping information option allow-untrusted
> !
>
> In addition to above, there was the 'port-type uni' feature on the ME3400 and 'switchport protected' feature on the 3550s that would prevent two customers on the same VLAN from being able to talk together. I can't seem to find their equivalent on the 4500. Do they exist?
>

Private-vlan isolated to mimic switchport protected and DAI for your DHCP needs.


> Anything else anyone can think of that might be useful here, or anything that is redundant and useless?
>
> Thanks in advance!
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.