Packet Tracer Labs

Lab 31: The Switch Security Baseline

Every production switch should get the same hardening ritual. This lab applies the full baseline checklist to one switch — the exact sequence you'd run on real gear before deployment. Difficulty: Intermediate+ · Time: ~35 min.

Lab objectives

  • Shut and quarantine unused ports
  • Change the native VLAN off 1 and disable DTP
  • Apply port security + BPDU guard on access ports
  • Restrict management to SSH from the management VLAN

Topology & addressing

1× 2960 with: 2 used access ports (Fa0/1-2, VLAN 10), 1 trunk uplink (Gi0/1), the rest unused. Management SVI on VLAN 99.

Step-by-step configuration

interface range fa0/3 - 24
switchport access vlan 999
shutdown
Unused ports: dead VLAN + admin down
Trunk: switchport trunk native vlan 99… actually use a dedicated unused native (e.g. 998)
switchport nonegotiate
No untagged user traffic, no DTP games
Access ports: port-security (max 1, sticky, shutdown) + spanning-tree portfast + spanning-tree bpduguard enableThe Lab 16 + Lab 22 combo as standard issue
line vty 0 4: transport input ssh + access-class (management subnet only)Labs 10 + 27 combined

Verification

Run the full verify battery: show interfaces status (unused = disabled, VLAN 999), show interfaces trunk (native ≠ 1, nonegotiate), show port-security, show spanning-tree interface fa0/1 detail (bpduguard), and SSH tests from allowed/denied subnets. This checklist IS the interview answer to "how do you harden a switch?"

Next lab: labs hub · test yourself: CCNA practice test.

Frequently asked questions

Why move unused ports to a dead VLAN and shut them?

Two independent layers: even if someone re-enables the port, it lands in a VLAN that goes nowhere — physical access alone gains nothing.

Why change the native VLAN off VLAN 1?

VLAN 1 carries control traffic and is the default everywhere — moving native to a dedicated unused VLAN prevents VLAN-hopping tricks and accidental untagged leaks.

What does switchport nonegotiate do?

Disables DTP negotiation — the port won't respond to trunk-forming attempts, closing a classic switch-spoofing vector.

VS
Vipul Sir — Lead Instructor, Attila Technologies20+ years in Cisco networking. Teaching CCNA, CCNP, CCIE & CyberOps in Ahmedabad since 2004.

Want hands-on training?

Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.

Start your networking career with Attila Technologies

Hands-on Cisco training, real lab devices and placement support in Ahmedabad.