dhcp snooping

A while ago a friend pointed me at dhcp snooping on cisco devices, basically it allows you to monitor and restrict what ports are sending dhcp responses. If you've ever been in an office or environment that has had someone plug in an unconfigured access point or soho router the feature's usefullness should immediately be apparent. For those who have not had the pleasure of attempting to hunt down the offending device in a large network environment, please be assured that dhcp snooping is your friend.

I've enabled it at home, and will soon be enabling it at work. In addition to dhcp snooping, there is another goodie named ip source guard which can be configured to check the dhcp snooping table for traffic coming from valid dhcp assigned addresses. If your going to enable source guard, you might as well enable arp inspection too. It will monitor arp responses, preventing arp poisoning.

I haven't enabled all of that yet, but its on my list.