Lab 31: The Switch Security Baseline
Every production switch should get the same hardening ritual. This lab applies the full baseline checklist to one switch — the exact sequence you'd run on real gear before deployment. Difficulty: Intermediate+ · Time: ~35 min.
Lab objectives
- Shut and quarantine unused ports
- Change the native VLAN off 1 and disable DTP
- Apply port security + BPDU guard on access ports
- Restrict management to SSH from the management VLAN
Topology & addressing
1× 2960 with: 2 used access ports (Fa0/1-2, VLAN 10), 1 trunk uplink (Gi0/1), the rest unused. Management SVI on VLAN 99.
Step-by-step configuration
interface range fa0/3 - 24switchport access vlan 999shutdown | Unused ports: dead VLAN + admin down |
Trunk: switchport trunk native vlan 99… actually use a dedicated unused native (e.g. 998)switchport nonegotiate | No untagged user traffic, no DTP games |
Access ports: port-security (max 1, sticky, shutdown) + spanning-tree portfast + spanning-tree bpduguard enable | The Lab 16 + Lab 22 combo as standard issue |
line vty 0 4: transport input ssh + access-class (management subnet only) | Labs 10 + 27 combined |
Verification
Run the full verify battery: show interfaces status (unused = disabled, VLAN 999), show interfaces trunk (native ≠ 1, nonegotiate), show port-security, show spanning-tree interface fa0/1 detail (bpduguard), and SSH tests from allowed/denied subnets. This checklist IS the interview answer to "how do you harden a switch?"
Next lab: labs hub · test yourself: CCNA practice test.
Frequently asked questions
Why move unused ports to a dead VLAN and shut them?
Two independent layers: even if someone re-enables the port, it lands in a VLAN that goes nowhere — physical access alone gains nothing.
Why change the native VLAN off VLAN 1?
VLAN 1 carries control traffic and is the default everywhere — moving native to a dedicated unused VLAN prevents VLAN-hopping tricks and accidental untagged leaks.
What does switchport nonegotiate do?
Disables DTP negotiation — the port won't respond to trunk-forming attempts, closing a classic switch-spoofing vector.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.