Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

hardening access layer switches / security

Hi all

Can anyone give me some tips for hardening my cisco 2960s for the access layer, I wont be using switchport security, I want some best practices, ie ssh, stp etc etc.


VIP Super Bronze

Re: hardening access layer switches / security


Re: hardening access layer switches / security

look into root guard, bpdu guard/filter...

also, statically set switchports:

switchport mode access

switchport nonegotiate

vtp transparent mode

don't use vlan 1, use a different native/mgmt vlan.

enable ssh version 2 only

put an access-class on the vty lines

enable aaa

statically define your spanning-tree root.

disable cdp where appropriate

service password-encryption

set up an ntp/syslog server,then:

service timestamps log datetime msec localtime put timestamps on log messages

shutdown unused ports

those are off the top of my head.

New Member

Re: hardening access layer switches / security

Some other ideas for you :

If you dont like port security try using it with error disable recovery. This way you can be alerted to the breach and the port will recover itself in a configurable amount of time (prevents arp spoofing and DoS attacks)

Dynamic ARP inspection (prevents man in the middle attacks, now supported on the 2960 with the latest IOS)

IP Source Guard

DHCP Snooping

Private Vlans (great for helping to secure your client access vlans)

Broadcast / Multicast Suppression.


New Member

Re: hardening access layer switches / security

Try this

The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere ("Products") as a public service to Internet users worldwide. Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs.