Cisco Access layer best security practice
As we all are well aware that layer 2 security pays a vital role for securing our internal network from any network thread. Now a days as technology grows as hacker also be very advance to generate different kinds of thread in networks.
Note: All configurations and tips are according to cisco IOS and base on cisco switches mostly and we are focusing quick step by step configurations.
Well without wasting a time lets start of discussion about HOW TO SECURE OF LAYER 2
VLANS
- All of your unused ports are in shutdown mode. Avoid using default VLAN(VLAN 1) for anything. Put them in a VLAN which is not used for normal operations
- Spanning tree protocol should be enable on your access switches. Its enable by default on the Cisco switches.
VTP
- If you configure VTP in your network then all the access switches should be in client mode or transparent mode. Below mentioned link is for detail discussion of VTP configurations
Port Security
Should use port security feature in cisco switches and restrict user with their mac address. Below is the link for port security deployment
Use SSH
Use SSH instead of telnet for better security mechanism. and apply under mentioned command in line VTY configurations
Line VTY 0 15
Transport input ssh
Restrict Management
Also restrict management VLAN so that no one can access your switch through SSH/Telnet. This access should be enable on specific VLAN which should be used in your administrations only. You can use access-list on layer 2 to secure management access. Example is given below
ip access-list extended Restrict-SSH
permit ip 10.0.241.0 0.0.0.255 any
deny any any
now apply this access list on line VTY configurations like under
line vty 0 4
access-class Restrict-SSH in
password cisco123
transport input ssh only
login local
Disable CDP
Also disable CDP where you can manage to disable it by applying under mentioned command
Trunk Port
Truck ports is very critical so that we should configured dedicated VLANs to trunk ports and for this always use trunk allowed command for your trunk ports. Commands is mentioned below
Note: If you configured port channel then you should run trunk allowed command in port channel as under mentioned
Switches Passwords
All access switches have strong password it includes enable password, Console password, SSH password and always use service password-encryption command for encrypted password in show running-config/startup config
Port level security
Use port level security in cisco switches to prevent threads.
- Port security
- IP source Guard
- DHCP Snooping
- shutdown unused ports
- ARP security (If apply able)
- Dynamic ARP Inspection (Apply on Interfaces)
You can contact us for free any cisco paid software router IOS , Latest Switches IOS, Wireless IOS, Cisco ASA IOS, paid cisco documentations. ****Free of Cost****
You can also mail us any kind of network issues. we will respond you with in 4 to 5 hours.
****Email****
aqlearninghub@gmail.com
*****Facebook****
https://www.facebook.com/AQLearningcenter/
aqlearninghub@gmail.com
*****Facebook****
https://www.facebook.com/AQLearningcenter/
Regards,
![]() |
Now presents AQ Learning Center |