Security Hardening¶
Port Security¶
Prevent MAC table flooding attacks:
interface range Gi0/1 - 48
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
Disable Unused Ports¶
Reduce attack surface. Create a dedicated "blackhole" VLAN first — on many IOS versions, assigning a port to a VLAN that doesn't yet exist in the VLAN database will fail or behave inconsistently:
vlan 999
name UNUSED
interface range Gi0/1 - 10
shutdown
switchport access vlan 999
SSH Management Only¶
Secure remote access, restrict to management VLAN:
ip ssh version 2
line vty 0 4
transport input ssh
login local
access-list 1 permit 10.0.99.0 0.0.0.255
line vty 0 4
access-class 1 in
BPDU Guard¶
Prevent rogue switches on access ports (see Spanning Tree Protocol Fundamentals for what a BPDU actually is and why an access port sending one is a red flag):
interface range Gi0/1 - 48
spanning-tree bpduguard enable
spanning-tree portfast
DHCP Snooping¶
Block rogue DHCP servers (see DHCP Fundamentals for the Discover/Offer/Request/Ack process this is protecting):
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
interface Gi0/48
ip dhcp snooping trust
Dynamic ARP Inspection¶
Prevent ARP spoofing attacks:
ip arp inspection vlan 10,20,30
ip arp inspection validate src-mac dst-mac ip
interface Gi0/48
ip arp inspection trust
Dependency: DAI validates ARP packets against the DHCP snooping binding table, so DHCP Snooping must be enabled first (as shown above) for dynamic validation to work. Without it, DAI has no bindings to check against and will drop legitimate ARP traffic on untrusted ports.
Storm Control¶
Prevent broadcast storms from misbehaving devices:
interface range Gi0/1 - 48
storm-control broadcast level 10
storm-control multicast level 10
storm-control action trap
Platform note: the
levelvalue's accepted format varies by switch model — many Catalyst platforms expect a decimal percentage (level 10.00) and reject a bare integer, while others accept either. Some platforms uselevel pps <low> <high>instead of a percentage. Checkstorm-control ?on your specific hardware before applying.
Access Control Lists¶
Enforce VLAN isolation policies (ACLs can also filter by TCP/UDP port for more granular rules than IP-only):
ip access-list extended GUEST_POLICY
deny ip 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255
permit ip any any
interface Vlan20
ip access-group GUEST_POLICY out
Logging & Alerts¶
Monitor for attacks and violations:
logging 10.0.99.5
logging source-interface Vlan99
logging trap informational
snmp-server community <read-only-string> RO
snmp-server enable traps all
Replace
<read-only-string>with a real, non-default SNMP community string — never leave it aspublic.