InformationPowerOn Auto Provisioning (POAP) allows the switch to be auto-provisioned at the time of power-on. This can be extremely useful in a tightly controlled environment, with a solid 'network as code' mindset and dev-ops procedures in place for network operations.
Without solid procedures and a well-controlled environment, POAP provides a malicious actor the ability to compromise a switch as it is being deployed out of the box. This 'day 0' approach to compromising gives the attacker control of the switch from the start - it can be difficult to detect that this has occurred, and may require physical access to gain control back.
SolutionTo disable POAP, use the command:
switch(config)# no boot poap enable
POAP is not enabled by default. The 'boot poap' configuration line does not show in the running or startup configuration if it is disabled, only if it is enabled.