Securing VLANs and Trunking
* Administratively disable the unused interface, using the shutdown interface subcommand.
* Prevent trunking from being negotiated when the port is enabled by using the switchport nonegotiate interface subcommand to disable negotiation, or the switchport mode access interface subcommand to statically configure the interface as an access interface.
* Assign the port to an unused VLAN, sometimes called a parking lot VLAN, using the switchport access vlan number interface subcommand.
Cisco also recommends that the negotiation of trunking be disabled on all in-use access interfaces, with all trunks being manually configured to trunk. This prevents an attacker from plugging a switch in and trying to negotiate trunking. Configure all in-use interfaces that should not be trunking with the switchport nonegotiate command.
No comments:
Post a Comment