Goal: Secure L2 attacks, management access, and user ports
🔐 1. Identity & Management Security
hostname SW1
service password-encryption
enable secret Sw@12345
username admin privilege 15 secret Adm1n@123
ip domain-name lab.local
crypto key generate rsa modulus 2048
ip ssh version 2
🔑 2. Secure VTY Access
line vty 0 4
transport input ssh
login local
exec-timeout 10 0
🎯 3. Management VLAN & ACL
interface vlan 10
ip address 192.168.10.2 255.255.255.0
no shutdown
ip access-list standard MGMT-ACL
permit 192.168.10.0 0.0.0.255
deny any log
line vty 0 4
access-class MGMT-ACL in
🚫 4. Disable Unused Services
no ip http server
no ip http secure-server
no service pad
no cdp run
🔌 5. Shut Down Unused Ports
interface range g1/0/10 - 48
shutdown
description UNUSED
🔐 6. Port Security (Access Ports)
interface g1/0/5
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation restrict
switchport port-security mac-address sticky
🛡 7. Layer-2 Attack Protection
ip dhcp snooping
ip dhcp snooping vlan 10
ip arp inspection vlan 10
spanning-tree portfast default
spanning-tree bpduguard default
🧾 8. Logging & NTP
logging buffered 64000
logging host 192.168.10.50
ntp server 192.168.10.1
📊 9. SNMPv3 Only
snmp-server group SECURE v3 priv
snmp-server user snmpadmin SECURE v3 auth sha Auth@123 priv aes 256 Priv@123
✅ Final Deployment Checklist
✔ Port security
✔ DHCP Snooping + DAI
✔ BPDU Guard
✔ Unused ports shutdown
✔ Secure management VLAN
The Lazy Networker 
Leave a comment