Potential attacks
include interception of traf?¬?c, redirection of traf?¬?c, DoS, and more. To avoid this risk,
disable automatic negotiation of trunking and manually enable it on links that require
it. Ensure that trunks use a native VLAN that is dedicated exclusively to trunk links.
Consider using a password for VTP to prevent someone from adding a switch that
could overwrite the VLAN database.
?– Monitor physical device access: You should closely monitor physical access to the
switch to avoid rogue device placement in wiring closets with direct access to switch
ports.
?– Ensure access port??“based security: Take speci?¬?c measures on every access port of
every switch placed into service. Ensure that a policy is in place outlining the
con?¬?guration of unused and used switch ports. For ports that will connect to end
devices, you can use a macro called switchport host. When you execute this command
on a speci?¬?c switch port, the switch port mode is set to access, spanning-tree PortFast
is enabled, and channel grouping is disabled.
The switchport host command is a macro that executes several con?¬?guration commands.
You cannot revoke the effect of the switchport host command by using the no form of the
command because it does not exist.
Pages:
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129