• Spanning Tree
  • SSH
  • NTP
  • Activate AAA Radius-Server
  • Activate DHCP Snooping
  • Remove VLAN

Spanning Tree

1
2
3
4
5
6
conf
spanning-tree 1-44 bpdu-protection
loop-protect 1-44
loop-protect disable-timer 180

spanning-tree force-version rstp-operation

SSH

1
2
3
4
conf
crypto key generate ssh
ip ssh
not telnet-server

NTP

1
2
3
4
conf
timesync sntp
sntp unicast
sntp server 192.168.1.100

Activate AAA Radius-Server

1
2
3
4
5
6
7
8
9
10
11
12
13
14
radius-server host 192.168.1.100 key "supersecretpassword"

aaa authentication port-access eap-radius
aaa port-access authenticator 1-44
aaa port-access authenticator 1-44 client-limit 2

aaa port -access authenticator active

aaa port-access mac-based 1-44
aaa port-access mac-based 1-44 addr-limit 2
aaa port-access mac-based 1-44 logoff-period 9999999
aaa port-access mac-based 1-44 unauth-vid 192

aaa port-access 1-44 controlled-direction in

Activate DHCP-Snooping

1
2
3
4
5
vlan 1
name "DEFAULT VLAN"
untagged 1-52
ip address 192.168.5.252 255.255.255.0
exit

Configure the VLAN with an IP Helper Address for the DHCP Server

1
2
3
conf
vlan 1
ip helper-address 192.168.1.100

Then globally configure the DHCP-Snooping on the Switch.

1
2
3
4
5
6
7
8
9
10
# enable dhcp-snooping
dhcp-snooping
# configure the authorized dhcp server
dhcp-snooping authorized-server 192.168.1.100
# disable option 82 insertion
no dhcp-snooping option 82
# enable dhcp-snooping for specific vlans only
dhcp-snooping vlan 1-255
# activate trust to the uplink ports to allow dhcp communication
dhcp-snooping trust 45-48

** Troubleshooting **

1
2
3
4
5
6
7
8
show dhcp-snooping
show dhcp-snooping stats
show dhcp-snooping binding
# debug further
debug destination session
debug security dhcp-snooping
# stop debugging
no debug security dhcp-snooping

VLAN Voice

Remove VLAN

1
2
3
4
5
6
7
8
9
10
# enter configuration modus
conf
# enter to vlan context to be removed
vlan <vid>
# remove ip address from vlan
no ip address x.x.x.x y.y.y.y
# returning to config context
exit
# remove vlan
no vlan <vid>