jason at lixfeld
May 31, 2012, 7:00 AM
I'm serving some customers DHCP addresses off of a 4500R+E/SUP7L-E box, and I'm wondering what features other folks are using to prevent nefarious activities (rogue DHCP servers, spoofing, ARP poisoning, STP BPDUs, storms, etc.) from causing havoc when initiated from the customer side.
So far, I've built up a config that looks sorta like so:
switchport trunk allowed vlan 4001-4003
switchport mode trunk
switchport block multicast
switchport block unicast
switchport port-security violation shutdown vlan
switchport port-security maximum 1 vlan
logging event link-status
logging event trunk-status
storm-control broadcast include multicast
storm-control broadcast level 1.00
storm-control action shutdown
storm-control action trap
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
ip verify source vlan dhcp-snooping port-security
ip dhcp snooping limit rate 1
ip dhcp snooping information option allow-untrusted
In addition to above, there was the 'port-type uni' feature on the ME3400 and 'switchport protected' feature on the 3550s that would prevent two customers on the same VLAN from being able to talk together. I can't seem to find their equivalent on the 4500. Do they exist?
Anything else anyone can think of that might be useful here, or anything that is redundant and useless?
Thanks in advance!
cisco-nsp mailing list cisco-nsp [at] puck
archive at http://puck.nether.net/pipermail/cisco-nsp/