Configure Cisco Secure Switch Port for Single Host
#Switch L2 Security and Recommendations
#Configure Just single Host (workstation) port
ASw1#configure terminal
ASw1(config)#interface fastEthernet 0/1
ASw1(config-if)#description PC-10-ROOM50
ASw1(config-if)#duplef full
ASw1(config-if)#speed 100
ASw1(config-if)#no shutdown
ASw1(config-if)#switchport mode access
ASw1(config-if)#switchport access vlan X
ASw1(config-if)#switchport nonegotiate ! (Stop Sending DTPs)
#CDP
ASw1(config-if)#no cdp enable
#Port-Security
ASw1(config-if)#switchport port-security
ASw1(config-if)#switchport port-security maximum 1
ASw1(config-if)#switchport port-security mac-address 00c0.9fa3.9d4a
ASw1(config-if)#switchport port-security violation shutdown
ASw1(config)#errdisable detect cause security-violation
ASw1(config)#errdisable recovery cause security-violation
#PortFast and Bpduguard
ASw1(config-if)#spanning-tree portfast ! (Enable STP feature PortFast)
ASw1(config-if)#spanning-tree bpduguard enable !(Deny any BPDUs and move to errdisable mode)
ASw1(config)#errdisable detect cause bpduguard
ASw1(config)#errdisable recovery cause bpduguard
#DHCP Snooping
ASw1(config-if)#ip dhcp snooping ! (Per Interface)
ASw1(config)#ip dhcp snooping vlan X ! (Per VLAN)
ASw1(config-if)#ip dhcp snooping information option
ASw1(config-if)#ip dhcp snooping limit rate 5 ! (Permit 5 pps If recived more port moves to Errdisable mode)
ASw1(config)#errdisable detect cause dhcp-rate-limit
ASw1(config)#errdisable recovery cause dhcp-rate-limit
#Set Truste Interface For DHCP Server (Trunk Links)
ASw1(config-if)#ip dhcp snooping trust
#Configure Errdisable recovery interval
ASw1(config)#errdisable recovery interval 300 ! (seconds) 5min
#Interface Configuration
ASw1#show running-config interface fastEthernet 0/1
!
interface FastEthernet0/1
description PC-10-ROOM50
speed 100
duplex full
switchport access vlan 101
switchport mode access
switchport nonegotiate
switchport port-security maximum 1
switchport port-security mac-address 00c0.9fa3.9d4a
switchport port-security
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 5
!
