Defending Network Switches
Best practices: secure switch protocols

Follow these Best Practices for securing switch protocols:

  • CDP – CDP does not reveal security-specific information, but it is possible for an attacker to exploit this information in a reconnaissance attack, whereby an attacker gains knowledge of device and IP address information for the purpose of launching other types of attacks. Two practical guidelines should be followed for CDP.
    • If CDP is not required, or the device is located in an unsecure environment, disable CDP globally on the device.
    • If it is required, disable CDP on a per-interface basis on ports connected to untrusted networks. Because CDP is a link-level protocol, it is not transient across a network (unless a Layer 2 tunneling mechanism is in place). Limit it to run only between trusted devices, disabling it everywhere else. However CDP is required on any access port when attaching a Cisco phone to establish a trust relationship.
  • Secure the spanning tree topology – It is important to protect the STP process of the switches composing the infrastructure. Inadvertent or malicious introduction of STP BPDUs could potentially overwhelm a device or pose a DoS attack. The first step in stabilizing a spanning tree installation is to positively identify the intended root bridge in the design, and to hard set the STP bridge priority of that bridge to an acceptable root value. Do the same for the designated backup root bridge. These actions will protect against inadvertent shifts in STP due to an uncontrolled introduction of a new switch.

In addition to taking these steps, on some platforms the BPDU guard feature may be available. If this feature is available for the platform, enable it on access ports in conjunction with the PortFast feature to protect the network from unwanted BPDU traffic injection. Upon receipt of a BPDU, the feature will automatically disable the port.