Security Hardening — IOS-XE

Cisco Access Switch Security Hardening Guide

A complete hardening checklist for Cisco Catalyst access switches. Every command explained — and automatically applied when you generate a config with netconfgen.

Generate a hardened config →

Why harden your access switches?

Access switches are the first line of defense in your network — every endpoint, workstation, IP phone, and access point connects here before anything else. The default IOS-XE configuration that ships from Cisco is designed for compatibility, not security: Telnet is enabled, passwords are stored in cleartext, and there is no brute-force protection on the management plane.

One misconfigured access switch can expose the entire network segment to ARP spoofing, rogue DHCP servers, STP manipulation, and unauthorized management access. Hardening is not optional — it is the minimum baseline every production switch should meet before it leaves the staging rack.

The complete IOS-XE hardening checklist

01
ip ssh version 2
Enforce SSH v2 — disable SSHv1 and Telnet entirely. SSHv1 has known cryptographic weaknesses.
02
no ip domain-lookup
Prevent the switch from hanging 30 seconds on mistyped commands trying to resolve them as hostnames.
03
spanning-tree portfast bpduguard default
Protect access ports from rogue switches and STP manipulation — shuts down any port that receives a BPDU.
04
spanning-tree loopguard default
Prevent loops caused by unidirectional link failures where BPDUs stop flowing on one direction.
05
storm-control broadcast level 20.00
Limit broadcast storms that can bring down the entire VLAN — shuts the port if the threshold is exceeded.
06
ip dhcp snooping vlan [vlans]
Block rogue DHCP servers on access ports — only the uplink is trusted. Prevents IP address hijacking.
07
ip arp inspection vlan [vlans]
Prevent ARP spoofing and man-in-the-middle attacks by validating ARP packets against the DHCP snooping binding table.
08
vlan 999 / name BLACKHOLE
Assign all unused ports to a dead VLAN — never leave them on VLAN 1. Ports are also administratively shut down.
09
login block-for 120 attempts 3 within 60
Block SSH brute-force attempts automatically — locks the management plane for 120 seconds after 3 failures.
10
service password-encryption
Encrypt all passwords stored in the running config — prevents cleartext credentials from being read in a config export.

Hardening config example

Security hardening — IOS-XE access switch
! Security hardening — IOS-XE
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
no ip domain-lookup
service password-encryption
login block-for 120 attempts 3 within 60
login on-failure log
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree loopguard default
!
ip dhcp snooping
ip dhcp snooping vlan 10,20,99
ip arp inspection vlan 10,20,99
!
vlan 999
 name BLACKHOLE
!
interface range GigabitEthernet1/0/1-48
 storm-control broadcast level 20.00
 storm-control action shutdown
 ip dhcp snooping limit rate 15
 no ip proxy-arp

Why automate hardening?

Consistency
Manual configs depend on who wrote them that day. netconfgen applies the same hardening baseline every single time — regardless of experience level or time pressure.
Speed
Reviewing a junior's config for hardening compliance takes 45 minutes. Generating a pre-hardened config takes 30 seconds. The review then becomes a quick sanity check, not a line-by-line audit.
No forgotten commands
no ip domain-lookup is easy to forget. BLACKHOLE VLAN 999 is easy to skip under deadline pressure. netconfgen never forgets — every command in the checklist is applied automatically.

Frequently Asked Questions

Yes — netconfgen supports 25 Cisco Catalyst models including 9300, 9200, 3850, 2960X and 1000 series. Security hardening is applied automatically to every model, with platform-specific adjustments (OOB management port on 9300 vs SVI management on 2960X, for example).

BPDU Guard shuts down an access port if it receives a BPDU packet — which would indicate a switch or rogue device connected to an access port. It protects your spanning-tree topology from unauthorized changes. When triggered, the port goes into err-disabled state and requires manual recovery.

Yes — DHCP snooping should be enabled on all user VLANs. Access ports are untrusted by default. Only the uplink to your core switch should be marked as trusted with ip dhcp snooping trust. netconfgen scopes snooping to your configured VLANs and marks the uplink as trusted automatically.

VLAN 999 BLACKHOLE is a dedicated VLAN for unused ports. All inactive ports are assigned to this VLAN and shut down. Even if someone plugs a cable into an unused port, they cannot access any production VLAN. The VLAN itself is not routed or trunked to any uplink — it is a true dead end.

Generate a hardened config now

All these commands applied automatically. Free to try.

Generate my hardened config →