Proactively configure unused router and switch ports

— Execute the shut command on all unused ports and interfaces.

— Place all unused ports in a "parking-lot" VLAN used specifically to group unused ports until they are proactively placed into service.

— Configure all unused ports as access ports, disallowing automatic trunk negotiation.

■ Considerations for trunk links: By default, Cisco Catalyst switches running Cisco IOS software are configured to automatically negotiate trunking capabilities. This situation poses a serious hazard to the infrastructure because an unsecured third-party device can be introduced to the network as a valid infrastructure component. Potential attacks include interception of traffic, redirection of traffic, DoS, and more. To avoid this risk, disable automatic negotiation of trunking and manually enable it on links that will require it. Ensure that trunks use a native VLAN that is dedicated exclusively to trunk links.

■ Physical device access: Physical access to the switch should be closely monitored to avoid rogue device placement in wiring closets with direct access to switch ports.

■ Access port-based security: Specific measures should be taken on every access port of any switch placed into service. Ensure that a policy is in place outlining the configuration of unused switch ports in addition to those that are in use.

For ports enabled for end-device access, there is a macro called switchport host, which, when executed on a specific switch port, takes these actions: sets the switch port mode to access, enables spanning tree PortFast, and disables channel grouping.

Note The switchport host macro disables EtherChannel, disables trunking, and enables STP


The command is a macro that executes several configuration commands. There is no command such as no switchport host to revoke the effect of the switchport host command. To return an interface to its default configuration, use the default interface interface-id global configuration command. This command returns all interface configurations to the default.

Minimizing Service Loss and Data Theft in a Campus Network

Was this article helpful?

0 0

Post a comment