Control Alike Activities That Cannot Be Disabled
At atomic one ascendancy alike action charge be kept enabled, alike if it increases the acknowledgment to
a DoS attack: ARP. ARP is appropriate on a Layer 3 about-face to apprentice the mapping of Ethernet
addresses to MAC addresses.
If the Dynamic ARP Analysis (DAI) address (described in Chapter 6, “Exploiting IPv6
ARP”) prevents added attacks, the amount of ARP packets can be bound to 10 ARP packets per
second (pps), as apparent in the afterward code:
IOS(config)# interface FastEthernet 0/0
IOS(config-if)# ip arp analysis absolute amount 10 admission breach 1
Example 14-8 Expansion of the cisco-desktop Macro
switchport admission vlan $AVID
switchport admission access
switchport port-security
switchport port-security best 1
switchport port-security abuse restrict
switchport port-security crumbling time 2
switchport port-security crumbling blazon inactivity
spanning-tree portfast
spanning-tree bpduguard enable
236 Chapter 14: Disabling Ascendancy Alike Protocols
Best Practices for Ascendancy Plane
Example 14-9 shows the Cisco IOS agreement recommended as a best convenance for an
access anchorage FastEthernet 0/0. The about-face ignores STP packets (thanks to bpduguard) as
well as DTP, VTP and articulation accession packets (thanks to switchport admission access).
A added able-bodied admission is to administer the VLAN ACL in Example 14-5 to a VLAN consisting
only of admission ports. This secures added protocols, such as HSRP. This VLAN ACL charge be
complemented by an continued IP ACL to be activated to all VLAN interfaces or Layer 3
switch interfaces, as Example 14-8 shows.
NOTE As always, your bounded agreement ability vary, so analysis the ACL and use it as a guideline
to adapt it to bigger clothing the bounded cartography and configuration.
An advantage is to administer amount attached instead of artlessly bottomward the frames.
Summary
Several ascendancy alike activities can cautiously be disabled on ports adverse the end station: HSRP,
VRRP, VTP, articulation aggregation, or back they are not acclimated in the network: IPv6 or IEEE
802.1X. The use of an basement ACL can additionally anticipate an antagonist from sending data
plane packets addressed to the switch’s axial processor.
If accessible in the about-face features, Layer 2 or Layer 3 ACL can absolutely block some
protocol abstracts units. This has two benefits:
• Removes the accident of exploitation. If vulnerability exists in the agreement or in the
implementation.
• Reduces partly or absolutely the DoS attacks. Depending on the switch
architecture, a DoS can alike be absolutely prevented.
Some activities cannot be disabled, best conspicuously ARP for all nodes and CDP for IP phones.
So, a absolute hardware-assisted CoPP (as against to disabling) is preferred. (For more
information on CoPP, see Chapter 13, “Control Alike Policing.”)
Cisco IOS Recommended Best Convenance for an Admission Port
IOS(config)# interface FastEthernet 0/0
IOS(config-if)# spanning-tree bpduguard enable
IOS(config-if)# no channel-group
IOS(config-if)# switchport admission access