Configuration detail switch access (cisco) 1. Secure MAC, strike MAC spoofing Att description XXX switchport mode access spanning-tree portfast switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky 2. Spanning-tree 2.1 Portfast Enable default portfast for all access port spanning-tree portfast enable 2.2 Rapid STP spanning-tree mode rapid-pvst 3. Protecting the network from spoofing att(DHCP, ARP) 3.1 Secure DHCP source (global) ip dhcp snooping (global) ip dhcp snooping infomation option (interface) ip dhcp snooping trust (global) ip dhcp snooping vlan vlan_id 3.2 Dynamic ARP Inspection (global) ip arp inspection vlan vlan_id (interface) ip arp inspection trust if the interface is not trusted then validate (interface) ip arp inspection validate 4. Access restriction using ACL line con 0 exec-timeout 6 0 password 7 15315A1F077A login transport input none line 1 8 speed 115200 line aux 0 line vty 0 4 access-class 90 in password 7 0817627E3D4A35362B login transport input telnet, or SSH.
5. Turn off CDP if possible 6. Secure STP 7. Double check trunk link 8. Using secure access client such as SSHv2 9. Using syslog 10. Avoid using VLAN1 for management purposes