LAN Security


Today, network attacks are most often generated from within the local area network. This may be due to the fact that network perimeter defenses have improved with newer and more advance firewall and intrusion detection technologies. Even though perimeter defenses have improved, the entire network can still be compromised from within, by an untrained or trained user, who unknowingly or knowingly, unleashes an attack from within the network.

Layer 2 Switch Security

Layer 2 Switch Security Best Practice

1. Manually configure all user ports as access ports (unless connected VOIP Phone)
2. Do not use default VLAN – VLAN 1
3. Disable CDP on all ports (useful for ports used for VOIP phones)
4. Enable PortFast on all access ports
5. Enable BPDU guard on all access ports
6. Configure port-security for access ports.
7. Disable all unused ports
8. Manually configure all trunk ports
9. Do not use default VLAN – VLAN 1
10. Do not use defualt native VLAN – VLAN 1
11. Disable DTP on all trunk ports
12. Enable root guard on STP root ports

IOS Commands

S1(config)#int range fa0/1-24
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 22
S1(config-if)#no cdp enable
S1(config-if)#spanning-tree portfast
S1(config-if)#spanning-tree bpduguard enable

S1(config)#int range fa0/1-4
S1(config-if)#switchport port-security
S1(config-if)#switchport port-security maximum 2
S1(config-if)#switchport port-security violation shutdown
S1(config-if)#switchport port-security mac-address sticky
S1(config-if)#switchport port-security aging time 120
S1(config-if)#storm-control broadcast level 75.5
S1(config-if)#storm-control action shutdown

S1(config)#int range Gig1/1-2
S1(config-if)#switchport mode trunk
S1(config-if)#switchport trunk allowed vlan 20,30,40,91
S1(config-if)#switchport trunk native vlan 91
S1(config-if)#switchport nonegotiate
S1(config-if)#no cdp enable

S2(config-if)#spanning-tree guard root
S3(config-if)#spanning-tree guard root

S1#show vlan
S1#show interfaces switchport
S1#show running-config
S1#show port-security
S1#show storm-control
S1#show spanning-tree

S1(config)#spanning-tree portfast default
S1(config)#spanning-tree portfast bpduguard default

Video Tutorials

If you want to follow along with the video, click here to download the Packet Tracer starter file:

In part 1, I diagram a sample local area network and discuss layer 2 security and attacks

In part 2, I configure all of the switchports with: user access mode, an unused VLAN, CDP disabled, portfast and bpduguard enables, and all unused ports shutdown

In part 3, I configure port-security and storm control on the active user switchports

In part 4, I manually configure the trunk ports, disallow the default VLAN, configure the Native VLAN
with an unused VLAN, disable DTP, and configure Spanning Tree root guard

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published.