指令設定方式雖然各家不同，功能是大同小異，這裡以Cisco的設定為範本。
Switch因為廠牌眾多，機器數量也不少，難以集中控管，又面向用戶端，還有私接設備的問題，少有工具能做全面性檢查，幾乎是一般企業學校的死穴，解法是沒用的的Port關閉，對PC端的Port服務功能關閉、偵測Loop，這些控管是要花很多時間去整理，不過完成後可以少很多麻煩事，尤其是學校。

參考Cisco Document
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.html

清除設定

del flash:vlan.dat
write erase
reload

設定機器名稱

enable
configure terminal
hostname demo-switch-1

設定帳密

ip domain name demo.com
crypto key generate rsa
512
enable secret level 15 demoenablepassword
username demoname privilege 15 secret demopassword

登入方式telnet改成SSH

line vty 0 4
exec-timeout 180
login local
transport input ssh
exit

Console 本地帳號登入

line con 0
login local
exec-timeout 180
logging synchronous
exit

登入方式 http改成 https (模擬器不能設定

no ip http server
ip http secure-server
ip http authentication local

Banner 警告

banner motd /
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and 
criminal penalties.
All activities performed on this device are logged and monitored./

NTP (模擬器不能設定

clock timezone TW +8
ntp server 118.163.81.61 source vlan 1

SYSLOG (https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SysMsgLogging.html

service timestamps debug datetime msec
service timestamps log datetime msec
logging host 192.168.1.1
logging trap debugging

SNMP

snmp-server community public

port fast,bpduguard

(config-if)#spanning-tree portfast 
(config-if)#spanning-tree bpduguard enable 

DHCP Spoofing

ip dhcp snooping 
ip dhcp snooping vlan 1
interface fastEthernet 0/1
ip dhcp snooping trust 
exit

ARP Spoofing (https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11_603839.html

ip arp inspection vlan 1
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
interface fastEthernet 0/1
ip arp inspection trust
exit

Loop Guard (模擬器不能設定

interface fastEthernet 0/1
spanning-tree guard loop

關閉CDP(避免CDP漏洞

no cdp run

將沒加密的密碼都加密

service password-encryption

VLAN
Port-Security
private vlan (vlan內在分群組 進階應用
switchport block unicast |muliticast (廣播控制
ACL ( 設定阻擋不應該練入的方向，例如從外網進入、只允許特定網段存取網路設備做設定

教學影片
https://www.youtube.com/watch?v=EGB2zzQ8tzM
資料
https://nkongkimo.wordpress.com/category/ccnp-bcmsn-module-08/
https://www.jannet.hk/zh-Hant/post/dynamic-host-configuration-protocol-dhcp/