Which three commands can be used to harden a switch? (Choose three.)
A. switch(config)# spanning-tree bpdufilter default
B. switch(config)# ip dhcp snooping
C. switch(config)# errdisable recovery interval 900
D. switch(config-if)# spanning-tree guard root
E. switch(config-if)# spanning-tree bpduguard disable
F. switch(config-if)# no cdp enable
G. switch(config)# service harden
Answer: B, D and F.
Even though it would be nice to have the “service harden” command to secure the switch, there is no such command. The recommendation from Cisco is based on a white paper from the NSA is to enable DHCP snooping to block any rogue DHCP server: Spanning Tree Root Guard to block others from taking over the spanning tree topology; and to disable Cisco Discovery Protocol so the device stop advertising itself to whomever that may be listening. There are other features that could be enabled or disabled, but those are not on this list.
Cisco White Papers