You are implementing basic switch security best practices. Which of these is a tactic that you
can use to mitigate compromises from being launched through the switch?
A.
Make all ports private VLAN ports.
B.
Place all unused ports in native VLAN 1 until needed.
C.
Proactively configure unused switch ports as access ports.
D.
Disable Cisco Discovery Protocol globally.
Explanation:
Follow these best practices to mitigate compromises through a switch:
+ Proactively configure unused router and switch ports:
++ Execute the shut command on all unused ports and interfaces.
++ Place all unused ports in a “parking-lot” VLAN used specifically to group unused
ports until they are proactively placed into service.
++ Configure all unused ports as access ports, disallowing automatic trunk negotiation.
+ Disable automatic trunk negotiation: By default, Cisco Catalyst switches running
Cisco IOS software are configured to automatically negotiate trunking capabilities. This
situation poses a serious hazard to the infrastructure because an unsecured third-party
device can be introduced to the network as a valid infrastructure component. Potential
attacks include interception of traffic, redirection of traffic, and DoS. To avoid this risk,
disable automatic negotiation of trunking and manually enable it on links that require it.
Ensure that trunks use a native VLAN that is dedicated exclusively to trunk links.+ Monitor physical device access: Avoid rogue device placement in wiring closets with
direct access to switch ports.
+ Establish port-based security: Specific measures should be taken on every access
port of any switch placed into service. Ensure that a policy is in place outlining the
configuration of both used and unused switch ports. For ports enabled for end-device
access, the macro switchport host takes the following actions when executed on a specific
switch port:
++ Sets the switch port mode to access
++ Enables spanning tree PortFast
++ Disables channel grouping.