Follow these Best Practices for securing switch protocols:

-
CDP – CDP does not reveal security-specific information, but it is
possible for an attacker to exploit this information in a reconnaissance
attack, whereby an attacker gains knowledge of device and IP address
information for the purpose of launching other types of attacks. Two practical
guidelines should be followed for CDP.
- If CDP is not required, or the device is located in an unsecure
environment, disable CDP globally on the device.
- If it is required, disable CDP on a per-interface basis on ports connected
to untrusted networks. Because CDP is a link-level protocol, it is not
transient across a network (unless a Layer 2 tunneling mechanism is in place).
Limit it to run only between trusted devices, disabling it everywhere else.
However CDP is required on any access port when attaching a Cisco phone to
establish a trust relationship.
-
Secure the spanning tree topology – It is important to protect the
STP process of the switches composing the infrastructure. Inadvertent or
malicious introduction of STP BPDUs could potentially overwhelm a device or
pose a DoS attack. The first step in stabilizing a spanning tree installation
is to positively identify the intended root bridge in the design, and to hard
set the STP bridge priority of that bridge to an acceptable root value. Do the
same for the designated backup root bridge. These actions will protect against
inadvertent shifts in STP due to an uncontrolled introduction of a new
switch.
In addition to taking these steps, on some platforms the BPDU guard
feature may be available. If this feature is available for the platform, enable
it on access ports in conjunction with the PortFast feature to protect the
network from unwanted BPDU traffic injection. Upon receipt of a BPDU, the
feature will automatically disable the port.