You are implementing basic switch security best practices. Which of these is a tactic that you can useto
mitigate compromises from being launched through the switch?
A.
Make all ports private VLAN ports
B.
Place all unused ports in native VLAN 1 until needed
C.
Proactively configure unused switch ports as access ports
D.
Disable Cisco Discovery Protocol
Answer C is not correct, because configuring unused switch ports as access ports has nothing to do with basic switch security
Answer D seems to be the best answer
If CDP is not required, disable CDP globally on the device
If CDP is required, disable CDP on a per-interface basis on
ports connected to untrusted networks
When CDP remains enabled globally, on the presumption that some ports still need CDP enabled, disable CDP on unused ports.
Layer 2 Security Best Practices:
•Disable CDP where possible.
•Manage the switches in a secure manner. For example, use SSH, authentication mechanism, access list, and set privilege levels.
•Restrict management access to the switch so that untrusted networks are not able to exploit management interfaces and protocols such as SNMP.
•Always use a dedicated VLAN ID for all trunk ports.
•Be skeptical; avoid using VLAN 1 for anything.
•Disable DTP on all non-trunking access ports.
•Deploy the Port Security feature to prevent unauthorized access from switching ports.
•Use the Private VLAN feature where applicable to segregate network traffic at Layer 2.
•Use MD5 authentication where applicable.
•Prevent denial-of-service attacks and other exploitation by disabling unused services and protocols.
•Shut down or disable all unused ports on the switch, and put them in a VLAN that is not used for normal operations.
•Use port security mechanisms to provide protection against a MAC flooding attack.
•Use port-level security features such as DHCP Snooping, IP Source Guard, and ARP security where applicable.
•Enable Spanning Tree Protocol features (for example, BPDU Guard, Loopguard, and Root Guard).
•Use Switch IOS ACLs and Wire-speed ACLs to filter undesirable traffic (IP and non-IP).
feedback is desired
The default of the switch ports will automatically negotiate trunk port. If an attacker attempt to negotiate a trunk port, then he performs vlan hopping.
I think vlan hopping is not the problem in this question. To prevent vlan hopping, configure unused switch ports as access ports, place this ports in a common unrouted VLAN and turn off Dynamic Trunking Protocol (DTP) using the switchport nonnegotiate command. Because in switchport mode access, the port indeed automatically turns off DTP and doesnt send DTP frames anymore but the port still responds to DTP frames from ports that are in Dynamic desirable state. In access mode it is still possible to create a trunk, thats why it is not enough only to configure unused switch ports as access ports.
Cisco Discover Protocol (CDP) can provide an attacker with valuable information about the layout of your network. Other vulnerabilities include a denial-of-service attack in which CDP packets are generated, flooding the network. Disable Cisco Discovery Protocol seems to be the best answer in relation to security.
You are right Teng.
When You Proactively configure unused switch ports as access ports, this ports can never become trunk ports and it is enough to prevent vlan hopping and you dont need further configurations like nonegotiate.
probably D (Disable Cisco Discovery Protocol) does not meet the requirement of the question and C is the answer.
thank you
Answer D 100%