Follow these Best Practices to mitigate compromises through a switch:
- Proactively configure unused router and switch ports:
- Execute the shut command on all unused ports and
interfaces
- Place all unused ports into a "parking-lot" VLAN used
specifically to group unused ports until they are proactively placed into
service
- Configure all unused ports as access ports disallowing automatic trunk
negotiation
-
Considerations for trunk links – By default, Catalyst switches
running IOS software are configured to automatically negotiate trunking
capabilities. This situation poses a serious hazard to the infrastructure. It
allows the possibility of an unsecured third party to be introduced into the
infrastructure, as part of the infrastructure. Potential attacks include
interception of traffic, redirection of traffic, denial of service (DoS), and
more. To avoid this risk, disable automatic negotiation of trunking, and
manually enable it on links that will require it. Ensure that trunks use a
native VLAN dedicated ONLY to trunk links.
-
Physical device access – Physical access to the switch should be
closely monitored to avoid rogue device placement in wiring closets with direct
access to switch ports.
-
Access port-based security – Specific measures should be taken on
every access port of any switch placed into service. A policy should be in
place that outlines the configuration of unused switch ports as well as those
that are in use.
For those ports enabled for end device access, a macro exists called
switchport host when executed on a specific switch port,
takes the following actions; sets the switchport mode to access, enables
spanning-tree PortFast, and disables channel grouping.
 |
NOTE:
The switchport host macro disables EtherChannel,
disables trunking, and enables STP PortFast.
|
The command is a macro that executes several configuration commands.
There is no command such as no switchport host to revoke
the affect of the switchport host command. To return an
interface to its default configuration use the default interfaceinterface-id global config command. This command returns all
interface configurations to the default.
This example shows what occurs
when the switchport host command is executed
Switch(config-if)#switchport host
switchport mode will be set to
access
spanning-tree portfast will be
enabled
channel group will be disabled
Switch(config-if)#