across a network (unless a Layer 2 tunneling mechanism is in place). Limit it to run only between trusted devices and disable it everywhere else. However, CDP is required on any access port when you are attaching a Cisco phone to establish a trust relationship.

Secure the spanning tree topology: It is important to protect the STP process of the switches that compose the infrastructure. Inadvertent or malicious introduction of STP BPDUs could potentially overwhelm a device or pose a DoS attack. The first step in stabilizing a spanning tree installation is to positively identify the intended root bridge in the design and to hard set the STP bridge priority of that bridge to an acceptable root value. Do the same for the designated backup root bridge. These actions protect against inadvertent shifts in STP due to an uncontrolled introduction of a new switch.

On some platforms, the BPDU guard feature may be available. If so, enable it on access ports in conjunction with the PortFast feature to protect the network from unwanted BPDU traffic injection. Upon receipt of a BPDU, the feature automatically disables the port. Follow these best practices to mitigate compromises through a switch:

Proactively configure unused router and switch ports:
- Execute the shut command on all unused ports and interfaces.
- Place all unused ports in a “parking-lot” VLAN used specifically to group unused ports until they are proactively placed into service.
- Configure all unused ports as access ports, disallowing automatic trunk negotiation.
Disable automatic trunk negotiation: By default, Cisco Catalyst switches running Cisco IOS software are configured to automatically negotiate trunking capabilities. This situation poses a serious hazard to the infrastructure because an unsecured third-party device can be introduced to the network as a valid infrastructure component. Potential attacks include interception of traffic, redirection of traffic, and DoS. To avoid this risk, disable automatic negotiation of trunking and manually enable it on links that require it. Ensure that trunks use a native VLAN that is dedicated exclusively to trunk links.
Monitor physical device access: Avoid rogue device placement in wiring closets with direct access to switch ports.
Establish port-based security: Specific measures should be taken on every access port of any switch placed into service. Ensure that a policy is in place outlining the configuration of both used and unused switch ports. For ports enabled for end-device access, the macro switchport host takes the following actions when executed on a specific switch port:
- Sets the switch port mode to access
- Enables spanning tree PortFast
- Disables channel grouping.

Note: The switchport host command is a macro that executes several configuration commands. It does not have a no form to disable it. To return an interface to its default configuration, use the default interface interface-id global configuration command. Web Links Cisco IOS Firewall Overview

Content 8.7 Switch Security Lab Exercises 8.7.1 Lab 8-1 Securing the Layer 2 Switching Devices Lab Activity Lab Exercise: Lab 8-1 Securing the Layer 2 Switching Devices

Secure the Layer 2 network against MAC flood attacks
Prevent DHCP spoofing attacks
Prevent unauthorized access to the network using AAA and dot1x

Content 8.7 Switch Security Lab Exercises 8.7.2 Lab 8-2 Securing Spanning Tree Protocol Lab Activity Lab Exercise: Lab 8-2 Securing Spanning Tree Protocol

Secure the Layer 2 spanning tree topology with BPDU guard
Protect the primary and secondary root bridge with root guard
Protect switchports from unidirectional links with UDLD

Content 8.7 Switch Security Lab Exercises 8.7.3 Lab 8-3 Securing VLANs with Private VLANs, RACLs, and VACLs Lab Activity Lab Exercise: Lab 8-3 Securing VLANs with Private VLANs, RACLs, and VACLs

Secure the server farm using private VLANs
Secure the staff VLAN from the student VLAN
Secure the staff VLAN when temporary staff personnel are used

Content Summary This module covered the major vulnerabilities to unsecured VLAN topologies. Hackers use MAC spoofing, Address Resolution Protocol (ARP) spoofing, and DHCP spoofing to disrupt the network and gain access. Using port security, dynamic ARP inspection (DAI), DHCP snooping, and IP source guard help to reduce such attacks. VLAN access control lists (VACLs) and private VLANs (PVLANs) filter and control VLAN traffic. In addition, vty ACLs and Secure Shell Protocol (SSH) help control connectivity to the network devices used in the topology.