Added arp inspection too your list. - dhcp option 82 support - dhcp snooping - DAI - port security - urpf on first hop - RA guard / dhcpv6 snooping / ND guard if you're providing ipv6 - broadcast / multicast storm control - lan broadcast segmentation for session hijack protection - common L2 domain for public IP address assignment efficiency
- ip arp inspection vlan <vlan-id> On 15 January 2013 23:09, Nick Hilliard <n...@foobar.org> wrote: > On 15/01/2013 19:43, Blake Dunlap wrote: > > Yeah that's the reason. Its not about talking to one another, its about > > protecting from attacks that could allow snooping on traffic flows, to > > hijacking. > > This is mildly troublesome. What you really want in your switch is: > > - dhcp option 82 support > - dhcp snooping > - DAI > - port security > - urpf on first hop > - RA guard / dhcpv6 snooping / ND guard if you're providing ipv6 > - broadcast / multicast storm control > - lan broadcast segmentation for session hijack protection > - common L2 domain for public IP address assignment efficiency > > note that the last two cannot easily be achieved without per-port dhcp > filtering. > > Nick > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- *Med Vänliga Hälsningar - Best Regards* *Mattias Gyllenvarg* *Nätutveckling* Bredband2 Tel: +46 406219712 _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/