Week 7Security Fundamentals42 min

Device Hardening and Layer 2 Security

Learning objectives

  • Apply basic Cisco device hardening steps for management access
  • Configure port security to limit MAC addresses on access ports
  • Understand BPDU Guard, root guard, and DHCP snooping at CCNA depth
  • Relate AAA concepts to secure administrative access

Watch first

Recommended video

Security Fundamentals (Day 48)

Video credit: Jeremy's IT Lab

Watch on YouTube
Recommended video

Port Security (Day 49)

Video credit: Jeremy's IT Lab

Watch on YouTube

Plain-English explanation

Device hardening reduces attack surface — strong passwords, disable unused services, use SSH not Telnet, restrict management access with ACLs, and log to Syslog.

Layer 2 security stops switches from being abused — port security limits which MACs can appear on a port; BPDU Guard shuts access ports that receive BPDUs (someone plugged in a switch); DHCP snooping mitigates rogue DHCP servers.

Deep dive

Port security limits learned MAC addresses on access ports.

Port security limits learned MAC addresses on access ports.

Supplementary figure from Panagiss CCNAmd

Out-of-band vs in-band management plane.

Out-of-band vs in-band management plane.

Supplementary figure from Panagiss CCNAmd

Management hardening checklist:

  • service password-encryption
  • Local user + login local or AAA
  • transport input ssh on VTY lines
  • banner motd legal notice
  • Disable unused ports (shutdown) and put in unused VLAN

Port security modes:

| Violation mode | Behavior | |----------------|----------| | Protect | Drop violating traffic, no shutdown | | Restrict | Drop + increment counter + SNMP trap | | Shutdown | Err-disable port (common lab default) |

AAA overview: Authentication (who), Authorization (what), Accounting (log) — TACACS+ for admin, RADIUS for 802.1X common in enterprise.

Step-by-step — port security on access port

interface GigabitEthernet0/5
 switchport mode access
 switchport access vlan 20
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 switchport port-security violation shutdown

Connect one PC — sticky learns MAC. Second unauthorized device triggers err-disable.

Recover: shutdown then no shutdown after fixing cause.

Commands to know

SSH and VTY hardening

hostname SW1 ip domain-name lab.local crypto key generate rsa modulus 2048 ! line vty 0 15 transport input ssh login local

Port security verify

show port-security show port-security interface GigabitEthernet0/5 show errdisable recovery

Troubleshooting

| Issue | Check | |-------|-------| | Port err-disabled | show port-security — violation; show interfaces status err-disabled | | Cannot SSH | Keys missing, VTY ACL, wrong version | | DHCP random clients | Rogue server — DHCP snooping + trusted uplink | | Unexpected STP topology | BPDU filter/guard misapplied |

Document errdisable recovery policy — auto-recovery vs manual fix.

Exam relevance

Exam trap

Port security applies to access ports, not typical trunk uplinks — putting BPDU Guard on access ports prevents user switch loops.

Sticky MAC

sticky learns and writes MAC to running config — survives reload if saved.

Practice checklist

  • Configure SSH-only VTY access on lab router
  • Enable port security with sticky MAC on one port
  • Explain BPDU Guard vs Root Guard purpose difference
  • List three hardening steps beyond passwords
  • Recover an err-disabled port correctly

Which port security violation mode shuts down the port?

Which protocol should replace Telnet for encrypted management?

Video credits

These are free, open educational videos from independent creators. We link and embed them with attribution; all rights belong to the respective channels.