- prevent physical threat -- Physcial thread are threats to the physical switch machine or the enviroment the switch works in. For example, an unwanted personal entered the switch closet and turn off the power to the switch or turn off the air conditioning system in the switch room. To prevent physical threat, the best way is to lock your switch into a room only few people have access to or even knows about.
- Use IOS command "shutdown" to shut down the unused switch ports.
- Use password to protect console port, Telnet port (vty), and prilileged EXEC mode. You can set password encryption with command "service password-encrytion" under global configuration mode. Passwords that are displayed or set after the command "service password-encrytion" will be encrypted in the output of show commands, such as command show running-config. We have a seperate post about password.
- By default, all the switch ports are ready to trunk (accept connections from other switches' ports), which means, hackers can attach their switches to your switch port. To prevent this, use "switchport mode access" to prevent the port from trunking.
- Display a banner before the username and password login promts by using command "banner login" under global configuration mode.
- Use switch's port security feature to control access to a switch port based upon a MAC address. This important switch security feature will be discussed extensively in a seperate post.
ICND1 and ICND2 break down