Advice about L2 security features

ciscors · ‎02-21-2008

Guys, I'm about to start a replacement of access switches project from the

current 2900's to 3750 stacks. We're deploying almost all of the L2 security

features and although I'm well adept to all of them technically, this is the

first time I'm going to work with them outside of a lab. I'm keen to know

what kind of extra resource time would they take up and what problems we'll

run into. Any expereriences you guys have from the past which will aid me to

create an appropriate work plan for management to look at would help. My

management wants to know how many engineers should be involved and how much

of their time would be taken up over the next few months

In particular, we're deploying these. Please make recommendations of other

security features I should look to deploy other than these:

1) port security - allow only 1 mac address to be seen on a port

2) DHCP snooping

3) Dynamic ARP inspection

Thank you in advance!

Edison Ortiz · ‎02-28-2008

4) BPDUGuard on ports with portfast enabled.

__

Edison.

Mohamed Sobair · ‎02-28-2008

Hi,

Edison have slit excellent point about L2 Security feature, I just added this post because I had some confusion on the past about implementing whether (root guard) or bpdu guard on at interface.

Afaik, root guard , will still allow a switch to receive BPDUs although it wont allow superior hellos, but still its allowed, rather (Bpdu guard) would put the port immediately into err-disable state once its receives BPDUs.

HTH

Mohamed