I’ve seen protection from malicious hosts who try to spoof dhcp server, dns server or the default gateway - or faking arp/ndp that kind of thing, locking down arp/ndp so that known good port placements for critical hosts are fixed.
The thing is, it wouldn’t help me much, seeing as the potentially malicious hosts are wireless so they’re all on one shared ethernet port into the switch. I currently have L2_isolation ACLs without VLANs in my ZyXEL WAP which keeps malicious stations in a box at L2. Isolates dubious stations from one another and only allows them to talk to boxes on a whitelist, and my whitelist comprises only the critical servers they need to function and thr addresses they need get out to the internet, so that is only the local dns caching proxy server, dhcp server and default gateway and nothing else. That entire list comes down to a single address which is the LAN-facing address of the Firebrick router on the LAN.
But when I saw this iirc Cisco functionality, I thought "Why buy less”.
The hpe switch I have now has a list of IPv4-only anti-DOS defences plus storm control but it has never heard of IPv6 is fairly useless to me and none of the anti spoofing, malicious takeover threats mentioned in the Cisco docs.
