Switchport setup

[SimonV]

I'm not sure of the value of using sw nonnegotiate when you're already explicitly setting sw mode access.

nonegotiate completely disables DTP packets on the link, although I wonder what the attack vector could be if it's set at access.

Just stumbled on this book. It's already quite old but it covers a lot on the switch security side.

[EOS]

In addition to what everyone else has suggested, we use the below statement on our 4500's.

Code Select Expand

power inline auto max 7700

We know what our VOIP phones pull for power, and anything more than that, we don't like.

[icecream-guy]

Forgive my lack of knowledge but what would be the purpose of making a non-existent/inactive vlan the native vlan?

When someone connects to one of your trunk ports and sends untagged traffic, it gets black-holed. It's a long shot though, there might be better reasons too but that's how I justify it

Also stops VLAN hopping attacks.

[Nerm]

Thanks for all the input guys. Below is what I have decided to go with for now on the access ports. I was debating limiting broadcast/multicast by pps instead of percentage level so that part may still be up in the air.

Code Select Expand


switchport mode access
switchport nonegotiate
storm-control broadcast level 10
storm-control multicast level 10
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict


[wintermute000]

Forgive my lack of knowledge but what would be the purpose of making a non-existent/inactive vlan the native vlan?

When someone connects to one of your trunk ports and sends untagged traffic, it gets black-holed. It's a long shot though, there might be better reasons too but that's how I justify it

Also stops VLAN hopping attacks.

I've had more than 1 security guy tell  me that this was true in 2003 but hasn't been true in years and years, but for some reason its still in the CCNA syllabus. i.e. even without taking any special measures, a default trunk config on a modern IOS will stop standard VLAN hopping via double tagging etc.

[scottsee]

Assign the ports to a parking lot VLAN, port-security restrict has no effect on VLAN1. Or at least it didn't about 5 years ago.

I have been working on creating a template for switchports to throw on new switches that enter our environment. One template for access ports and one for trunk ports. I was curious if anyone else has done similar and what has and hasn't worked for you? As an example here is what I have so far for access ports. Also if anyone sees any "that's stupid, don't do that" in this example let me know. I haven't deployed anything yet just toying with ideas.

Code Select Expand


switchport mode access
switchport nonegotiate
storm-control broadcast level 30
storm-control multicast level 50
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict