22 Cisco LAN Switching Configuration Handbook
e. QoS
f.
g. Port security, authentication
Configure QoS on every switch in your network. QoS must be properly
■
supported end-to-end. See section "13-2: QoS Configuration," in Chapter
13, "Quality of Service."
Extend the QoS trust boundary to edge devices (IP phones, for example)
■
that can provide trust.
Use policers to control nonmission-critical traffic flows.
■
Redundant switch modules
Consider using redundant supervisors in server farm switches where hosts
■
are single-attached (one NIC).
■
If redundant uplinks are provided at each network layer, two physically sep-
arate switches will always provide redundancy. Use redundant supervisors in
distribution or core layer switches where only single uplinks are available.
Use high-availability redundancy between supervisors in a chassis. Enable
■
versioning so that the OS can be upgraded without a switch downtime. See
section "3-6: Redundant Supervisors," in Chapter 3, "Supervisor Engine
Configuration."
You can control the end-user MAC address or the number of users connect-
■
ed to an access layer switch port with port security. See section "11-3: Port
Security," in Chapter 11.
Authenticate users at the access layer switch ports. Section "11-8: 802.1X
■
Port Authentication," in Chapter 11 describes how to configure a port to
require a login or certificate for user authentication before granting access
to the network.
Control access to VLANs with VLAN ACLs. See section "11-4: VLAN
■
Access Control Lists," in Chapter 11.
■
Dynamic ARP Inspection (DAI) is a security feature that validates ARP
packets in a network. See section "11-9: Layer 2 Security," in Chapter 11.
DHCP Snooping provides the security against the Denial-of-Service (DoS)
■
attacks. See section "11-9: Layer 2 Security," in Chapter 11.
■
IP Source Guard prevents IP spoofing by allowing only the IP addresses that
are obtained through DHCP Snooping on a particular port. See section "11-
9: Layer 2 Security," in Chapter 11.