Securing Your Switch from the Bottom Up

You just purchased a brand new Cisco Catalyst switch for your expanding business. Fantastic! The question is, how do you secure your new investment? How do you keep your employee and customer data safe, your network running optimally, and the switch itself away from harm? While there are many approaches to security, even the most basic of actions will help you fight off a vast majority of attacks from outside and even inside your company. In 1983 a document came out called The Basic Reference Model for Open Systems Interconnection, more commonly referred to as the OSI model (Kozierok, 2005). This OSI model has seven layers: physical, data link, network, transport, session, presentation, and application. If you secure your switch across these layers, an attacker will have a much more difficult time accessing your switch. While each one of these layers can be secured, in this post I will briefly explain methods for the physical, data link, and network layers. These layers are the ones that most vulnerable to penetration and will cause the most damage to your internal network and data. Without further delay, here we go.

Layer 1 Physical: This layer is far simpler than you might imagine, securing on this layer is just a matter of putting your switch in a location where only authorized personal have access to it. For example, keeping the door to your networking closest secure, and if possible putting a lock on the case that the switch is in. While securing on this layer is straightforward failing to do so will make all of the other methods in this post not worth performing. Physical access is full access.

Layer 2 Data Link: The data link layer is all about what physical machines can access your switch from any given port. While there are many approaches to securing your switch on this layer, I will briefly explain the key ones. The first thing to do is to shut down any and all unused ports on your switch. This will prevent anyone plugging into these ports from sending and receiving data. The next approach is to use port security to lock down the MAC addresses that can access that port. When these rules are violated you can configure the switch to either ignore/drop traffic or shut the port down completely. Look at the documentation from your switch provider to determine how to accomplish this with your switch.

Layer 3 Network: The Network layer makes decisions based of the IP address of the machine sending commands. Securing this layer will allow you to protect your switch not just from local attacks but from attacks all across your network and the internet. Controlling what IP address can do what is very important. For example, only allowing a certain range of IP addresses to access SSH on your switch, or only allowing certain IP addresses to go to certain parts of your network. Controlling the layer 3 access of machines is done through access lists. Consult your vendor’s documentation on how to create and implement access lists for your device.

Once you have applied these methods to your networked switches, an attacker will much less likely to break into your switch configuration or access information. Of course, the best approach is still to consult with an IT security expert you trust. And if you still need an expert you can trust, just contact us today!


Kozierok, C. M. (2005, September 20). HistoryoftheOSIReferenceModel. Retrieved from

Leave a Comment