- Make life easier for administrators.
- Standardize configuration.
- Allow people without specific Cisco knowledge to configure ports.
- Increase security.
An example template in macro form:
macro name accessport
switchport mode access
switchport nonegotiate
switchport access vlan 99
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
storm-control multicast level 20.00
storm-control broadcast level 20.00
@
To apply this to a port run:
configure terminal
interface fa0/xx
macro apply accessport
It is probably advisable to reset the port configuration in advance in which case the commands become:
configure terminal
default interface fa0/xx
interface fa0/xx
macro apply accessport
So what do these commands do?
switchport mode accessSpecify the port is an access port.
switchport nonegotiateDisable Dynamic Trunking Protocol (DTP).
switchport access vlan 99Set the port into a VLAN to avoid VLAN hopping shenanigens. Replace VLAN 99 with the ID of an unused VLAN on your network (not VLAN 1!).
no cdp enableDisable CDP to stop attackers flooding the CDP neighbor table using Yersinia or similar tools.
spanning-tree portfastTurn on portfast for access ports, usually a good idea. If you use boot-from-LAN then you'll need this!
Note that turning on portfast does NOT disable STP on that port, it just allows the port to go directly to the forwarding state. You could still create a temporary bridging loop however so also apply:
spanning-tree bpduguard enable
Turn on BPDU Guard to shut the port down if it gets connected to another switch, but allow this switch to keep sending BPDUs on that port.
You can turn this on globally with the command:
spanning-tree portfast bpduguard default
storm-control multicast level 20.00
storm-control broadcast level 20.00
Configure storm-control.
Further reading:
The NSA guide to Cisco switch security.
Posts
