Access Interface Connectivity
Configure Access Interface Connectivity
56
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
Note MAC addresses that are remembered on interfaces with port security do not appear in the dynamic MAC
address table; they appear in the static MAC address table.
Step 5 Configure IP ARP inspection and (DHCP, IGMP, and so on) snooping to 100 p/s on the interface.
(Incoming ARP packets exceeding 100 p/s is not typical and is considered malicious. Those packets are
dropped and a syslog message is raised).
Step 6 Configure IP source guard to prevent IP address spoofing on the interface.
Step 7 Enable storm control on broadcast and multicast packets on the interface to protect the network from a
flood of broadcast or multicast packets.
When the configured levels are exceeded, the switch sends an SNMP trap. The interfaces are not put into
a disabled state.
Unicast packets are blocked on egress and not ingress traffic. The switch drops unknown unicast packets
from being egressed to the end device, ensuring that only the packets intended for the end device are
forwarded.
Step 8 Configure IPv6 security on the interface to secure the end devices from malicious or unexpected
operation by preventing them from transmitting IPv6 router advertisements, and IPv6 responses.
The applied policies are defined in the “Global System Configuration” workflow.
Configure QoS on an Access Interface
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security violation restrict
ip arp inspection limit rate 100
ip snoopping limit rate 100
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
switchport block unicast
ipv6 nd raguard attach-policy endhost_ipv6_raguard
ipv6 guard attach-policy endhost_ipv6__guard
To Next Page
Loading...
Need help?
General