[c-nsp] Standard port configurations
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Mon Nov 28 14:16:16 EST 2005
Hi,
> I'm trying to come up with some documentation for 'best practices'
> configuration of various types of switchports. Essentially I'm trying
> to reduce the amount of random frames generated by the switch itself
> and to protect myself as best I can from whatever I am plugging in to.
you could start off with the NSA security guide:
http://www.nsa.gov/snac/os/switch-guide-version1_01.pdf
I'd also try the CISCO switch configuration tool and see what
it puts on the ports by default and after tweaking....
for edge ports (going to the users) i would turn off everything
that isnt needed... completely! eg add the following
no cdp enable
no keepalive
spanning-tree portfast bpdufilter default
(stops the 802.1d frames leaking out - this can be set as global on many devices)
switchport port-security maximum 128 (or less if you want...this just stops mac-off style attacks)
alan
More information about the cisco-nsp
mailing list