=>Features like DHCP snooping and DAI can be used to mitigate various ARP-based network exploits.
Please refer:
SAFE
http://www.cisco.com/en/US/partner/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml#wp1002312
Conf_Guide
http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080435791.html#wp1120427
Ideally, in a campus network with L2 access design, we have dhcp server on distribution layer. Thus, we assign dhcp server ports as trusted and keep rest as untrusted so that we do not recieve any DHCP server type response from anywhere else in the network.
2) "switchport noneg" is typically used while connecting to routers or third party devices that do not support DTP, to prevent inconsistencies while link negotiation and results in unconditional trunking.
BPDU filtering is not recommended as such by any best practice, and neither would I. If an attacker connects to a port with bpdu filering, the port will lose portfast status and start participating in stp, and can damage the network to some extent. Whatmore, after he's through and you connect some authorized device, it would take default stp time = 20-50 sec for him to be on the network. Thus, I would recommend using BPDU Guard anyday over BPDU filtering.
For further references:
DTP/Trunking:
http://www.cisco.com/en/US/partner/products/hw/switches/ps700/products_tech_note09186a008012ecf3.shtml
BPDU Filtering:
http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a5c.html
3) Cisco Content Switches Network typically refers to the data center/server farm deployments using various techniques/designs/devices for load balancing traffic and L4-L7 services across multiple servers.
Some useful links:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Please rate as applicable.
Regards
Rajat Chauhan
