How to secure your Cisco Catalyst switch

Below is a guide to the main areas and features that you should be aware of to ensure that your Cisco Catalyst switch is fully secured within your network.


First of all passwords are configured. One password is used for the enable password and the other will later be assigned to the console port.

enable secret  [password]
username admin password [password]


The console port is secured by setting a timeout value along with assigning the previously configured username and password.

line console 0
exec-timeout 30
login local


B y default the HTTP server is enabled. This can be disabled unless otherwise required.

no ip http server
no ip http secure-server

4. CDP

CDP can be used as an attack vector. To disable CDP run the following command:

no cdp run


By default ports are set to dynamic desirable. Meaning that they can either be a trunk port or a access port depending on what you plug in. To ensure that a rogue device can not be plugged in and a trunk port formed (meaning all VLAN traffic would be sent out of this port) a switchport can be configured to be only set to access mode.

(config-if)# switchport mode access 


Cisco provides the ability via the port-security commands to limit the amount of MAC address that can be populate the mac address table via a specific port. This can prevent potential CAM overflow attacks.

Note : When you enter the default value the full command will not be displayed via a `show run`

(config-if)# switchport port-security
(config-if)# switchport port-security maximum 1 [1 is default]
(config-if)# switchport port-security violation shutdown [shutdown is default]

The violation options are :

shutdown (default) – The interface is transitioned to a state pf error-disable, that in turn blocks all traffic.
protect – Frames from MAC addresses other than the permitted addresses are dropped; traffic from allowed addresses is permitted to pass normally.
restrict – The same as protect mode but additionally generates a syslog message.

Sticky MAC allows the configured number of mac address that enters the port to be assigned against it, any further MACs would be denied. Learnt addresses are added to the switches configuration much the same as if you were to explicitly define the allowed address via the port security command, such as :

(config-if)# switchport port-security mac-address [mac]

To enable port-security sticky the following command can be used :

(config-if)# switchport port-security mac-address [sticky mac]

Below are the main show commands :

show port-security interface fastethernet 0/8
show port-security 


Intruders can attempt to sabotage the root bridge role, changing the root bridge role can then allow them to force traffic over alternative STP path that is possible slower and also allow them to span traffic from the switch that they have forced to become the root bridge.

To guard against this you can use the guard root feature. This will ensure that if someone plugs a switch into this port and tries to place themselves as the root bridge the switch will place this port into a “blocking” state.

(config-if)# spanning-tree guard root

BPDU guard ensures that no STP Protocol traffic (BPDU`s) are sent over ports that are designated as access ports.

(config-if)# spanning-tree bpduguard enable
(config-if)# spanning-tree portfast

You can also enable this globally on any port that has portfast enabled by running the following command,

(config) spanning-tree portfast bpduguard default


DHCP attacks can cause network outages and can also become a catalyst for man in the middle attacks. Man in the middle attacks are produced via rogue DHCP server replying to DHCP requests and then providing them with a default gateway of themselves. They then receive the traffic, sniff it and pass it on to their own default gateway.

DHCP Snooping – DHCP Snooping is intended to prevent a malicious user from pretending to be the network DHCP server. This is achieved via :

  1. Telling the switch which port(s) the DHCP server is connected to via issuing the ip dhcp snooping trust command.
  2. DHCP snooping building a table of all DHCP REQUESTS and OFFERS which is then uses to determine malicious intent.

Note : DHCP snooping also provides security against ARP spoofing. Due to the switch building a table of all DHCP requests and responses it can determine if a rogue ARP response is sent from a device based on the information within its table.

Below we stop DHCP replies on the following VLANs.

(config)# ip dhcp snooping vlan 1,4,3

As our DHCP server is on port 24 we allow DHCP

(config)# interface fastethethernet 0/24
(config-if)# ip dhcp snooping trust

DHCP rate limiting prevents pool exhaustion. The example below would allow for 3 DHCP replies per second.

(config-if) ip dhcp snooping limit rate 3


9.1 Switch Port Analyser (SPAN)

SPAN ports allow you to send all the traffic from other ports out to a designated port. This is normally configured if you need to either place a standard packet sniffer on the designated port or an IDS/IPS.

(config)# monitor session 1 source interface fastethernet 0/1 – 20 both
(config)# monitor session 1 destination interface fastethernet 0/24

9.2 Private VLANs

PVLANs are VLANs inside of VLANs. This allows you to segregate on a host to host level rather than a a subnet level as with conventional VLANs.

9.3 Storm Control

Storm control allows you to configure actions at a port level based on overall traffic levels seen per port seen by the switch. Below gives you an example based upon port shutdown should the total throughput of traffic be broadcast based.

(config-if) storm-control action shutdown
(config-if) storm-control broadcast level 70


Rick Donato

Want to become a networking expert?

Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial