Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP
L2/DHCP protection

Index | Next | Previous | View Flat

jason at lixfeld

May 31, 2012, 7:00 AM

Views: 973
L2/DHCP protection

I'm serving some customers DHCP addresses off of a 4500R+E/SUP7L-E box, and I'm wondering what features other folks are using to prevent nefarious activities (rogue DHCP servers, spoofing, ARP poisoning, STP BPDUs, storms, etc.) from causing havoc when initiated from the customer side.

So far, I've built up a config that looks sorta like so:

interface GigabitEthernet1/1
switchport trunk allowed vlan 4001-4003
switchport mode trunk
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport port-security violation shutdown vlan
switchport port-security maximum 1 vlan
logging event link-status
logging event trunk-status
storm-control broadcast include multicast
storm-control broadcast level 1.00
storm-control action shutdown
storm-control action trap
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip verify source vlan dhcp-snooping port-security
ip dhcp snooping limit rate 1
ip dhcp snooping information option allow-untrusted

In addition to above, there was the 'port-type uni' feature on the ME3400 and 'switchport protected' feature on the 3550s that would prevent two customers on the same VLAN from being able to talk together. I can't seem to find their equivalent on the 4500. Do they exist?

Anything else anyone can think of that might be useful here, or anything that is redundant and useless?

Thanks in advance!
cisco-nsp mailing list cisco-nsp [at] puck
archive at http://puck.nether.net/pipermail/cisco-nsp/

Subject User Time
L2/DHCP protection jason at lixfeld May 31, 2012, 7:00 AM
    Re: L2/DHCP protection rwest at zyedge May 31, 2012, 7:19 AM

  Index | Next | Previous | View Flat

Interested in having your list archived? Contact Gossamer Threads
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.