You should follow two practical
guidelines for Cisco Discovery Protocol:
??” If Cisco Discovery Protocol is not required, or if the device is located in
an unsecured environment, disable Cisco Discovery Protocol globally
on the device.
??” If Cisco Discovery Protocol is required, disable it on a per-interface
basis on ports connected to untrusted networks. Because Cisco
Discovery Protocol is a link-level protocol, it is not transient across a
network, unless a Layer 2 tunneling mechanism is in place. Limit it to
run only between trusted devices and disable it everywhere else.
However, Cisco Discovery Protocol is required on any access port
where you are attaching a Cisco IP phone to establish a trust
relationship.
?– Secure the Spanning-Tree Topology: It is important to protect the STP process of the
switches that form the infrastructure. Inadvertent or malicious introduction of STP
BPDUs could overwhelm a device or pose a denial of service (DoS) attack. The ?¬?rst
step in stabilizing a spanning-tree installation is to identify the intended root bridge in
the design and hard set the STP bridge priority of that bridge to an acceptable root
value.
Pages:
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127