Setting MAC address to interface
switchport port-security mac abcd.abcd.abcd
Violation modes :
Protect : drops packets silently
shutdown : shuts down the port (you can configure Err-disable recovery mechanism)
errdisable recovery cause psecure-violation
errdisable recovery interval 180
Restrict : generate snmp trap after dropping
Aging MAC address entries :
switchport port-security aging timeout <>
switchport port-security aging type <aging/inactivity>
*** For HSRP we can make interfaces use Use-BIA option to avoid virtual MAC to be used and securely blocked
DHCP snooping :
The idea is to avoid clients from sending DHCP offer and leases to other clients unless on trusted ports
configuration :
ip dhcp snooping
ip dhcp snooping vlan 123
Needed on interface connected to DHCP server and trunk ports (case access switch)
ip dhcp snooping trust
To limit rate on an interface :
ip dhcp snooping limit rate <pps>
Option 82
when switch is configured with ip dhcp snooping it adds option 82 value and don't add "giaddr" value and by default cisco router configured as DHCP server when gets null "giaddr" it drops the request
Workaround
-Configure switch to neglect option 82 and consequently add "Giaddr" value "no ip dhcp snooping information option"
or
-Configure router DHCP server to accept DHCP requests with "Giaddr" value null"ip dhcp relay information trust-all"
IF you want to configure option 82 parameters on switch "circuit ID - Remote-ID"
interface fa0/1
ip dhcp snooping information option format-type circuit-id string ROUTER6
ip dhcp snooping information option format remote-id string SW1
ip dhcp snooping information option allow-untrusted (Allows switch to accept option 82 DHCP requests from untrusted ports)
Static DHCP binding and saving database
ip dhcp snooping binding 1234.1244.1244 vlan 123 123.123.123.123 interface gi0/1 expiry <>
ip dhcp snooping database flash:/dhcp-bind.txt
ip dhcp snooping database write-delay 15 <<<<<<< 15 seconds between database updating
IP ARP inspection : (will use cisco doc on this)
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_44_se/configuration/guide/scg/swdynarp.html
switchport port-security mac abcd.abcd.abcd
Violation modes :
Protect : drops packets silently
shutdown : shuts down the port (you can configure Err-disable recovery mechanism)
errdisable recovery cause psecure-violation
errdisable recovery interval 180
Restrict : generate snmp trap after dropping
Aging MAC address entries :
switchport port-security aging timeout <>
switchport port-security aging type <aging/inactivity>
*** For HSRP we can make interfaces use Use-BIA option to avoid virtual MAC to be used and securely blocked
DHCP snooping :
The idea is to avoid clients from sending DHCP offer and leases to other clients unless on trusted ports
configuration :
ip dhcp snooping
ip dhcp snooping vlan 123
Needed on interface connected to DHCP server and trunk ports (case access switch)
ip dhcp snooping trust
To limit rate on an interface :
ip dhcp snooping limit rate <pps>
Option 82
when switch is configured with ip dhcp snooping it adds option 82 value and don't add "giaddr" value and by default cisco router configured as DHCP server when gets null "giaddr" it drops the request
Workaround
-Configure switch to neglect option 82 and consequently add "Giaddr" value "no ip dhcp snooping information option"
or
-Configure router DHCP server to accept DHCP requests with "Giaddr" value null"ip dhcp relay information trust-all"
IF you want to configure option 82 parameters on switch "circuit ID - Remote-ID"
interface fa0/1
ip dhcp snooping information option format-type circuit-id string ROUTER6
ip dhcp snooping information option format remote-id string SW1
ip dhcp snooping information option allow-untrusted (Allows switch to accept option 82 DHCP requests from untrusted ports)
Static DHCP binding and saving database
ip dhcp snooping binding 1234.1244.1244 vlan 123 123.123.123.123 interface gi0/1 expiry <>
ip dhcp snooping database flash:/dhcp-bind.txt
ip dhcp snooping database write-delay 15 <<<<<<< 15 seconds between database updating
IP ARP inspection : (will use cisco doc on this)
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_44_se/configuration/guide/scg/swdynarp.html