Skip to content

Security Hardening

Port Security

Prevent MAC table flooding attacks:

interface range Gi0/1 - 48
 switchport port-security
 switchport port-security maximum 2
 switchport port-security violation shutdown

Disable Unused Ports

Reduce attack surface. Create a dedicated "blackhole" VLAN first — on many IOS versions, assigning a port to a VLAN that doesn't yet exist in the VLAN database will fail or behave inconsistently:

vlan 999
 name UNUSED

interface range Gi0/1 - 10
 shutdown
 switchport access vlan 999

SSH Management Only

Secure remote access, restrict to management VLAN:

ip ssh version 2
line vty 0 4
 transport input ssh
 login local

access-list 1 permit 10.0.99.0 0.0.0.255
line vty 0 4
 access-class 1 in

BPDU Guard

Prevent rogue switches on access ports (see Spanning Tree Protocol Fundamentals for what a BPDU actually is and why an access port sending one is a red flag):

interface range Gi0/1 - 48
 spanning-tree bpduguard enable
 spanning-tree portfast

DHCP Snooping

Block rogue DHCP servers (see DHCP Fundamentals for the Discover/Offer/Request/Ack process this is protecting):

ip dhcp snooping
ip dhcp snooping vlan 10,20,30

interface Gi0/48
 ip dhcp snooping trust

Dynamic ARP Inspection

Prevent ARP spoofing attacks:

ip arp inspection vlan 10,20,30
ip arp inspection validate src-mac dst-mac ip

interface Gi0/48
 ip arp inspection trust

Dependency: DAI validates ARP packets against the DHCP snooping binding table, so DHCP Snooping must be enabled first (as shown above) for dynamic validation to work. Without it, DAI has no bindings to check against and will drop legitimate ARP traffic on untrusted ports.

Storm Control

Prevent broadcast storms from misbehaving devices:

interface range Gi0/1 - 48
 storm-control broadcast level 10
 storm-control multicast level 10
 storm-control action trap

Platform note: the level value's accepted format varies by switch model — many Catalyst platforms expect a decimal percentage (level 10.00) and reject a bare integer, while others accept either. Some platforms use level pps <low> <high> instead of a percentage. Check storm-control ? on your specific hardware before applying.

Access Control Lists

Enforce VLAN isolation policies (ACLs can also filter by TCP/UDP port for more granular rules than IP-only):

ip access-list extended GUEST_POLICY
 deny ip 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255
 permit ip any any

interface Vlan20
 ip access-group GUEST_POLICY out

Logging & Alerts

Monitor for attacks and violations:

logging 10.0.99.5
logging source-interface Vlan99
logging trap informational

snmp-server community <read-only-string> RO
snmp-server enable traps all

Replace <read-only-string> with a real, non-default SNMP community string — never leave it as public.