– NETWORK HARDENING · LEVEL 1 · STUDY LEARNING

Vendor-neutral switch hardening for security integrators BETA

The dozen settings that turn a shipped-with-defaults switch into a production-hardened one. Vendor-neutral principles with Cisco-style syntax for illustration. The dedicated vendor courses (Cisco IOS, ALE OmniSwitch, Aruba CX, Juniper EX) cover the platform-specific syntax. Animated demos throughout. Free.

Start the course → All courses

What you will learn

Eight animated CLI demos walk through what an attacker actually does on an unhardened switch, and what each defense looks like on the wire. By the end you have a vendor-agnostic hardening checklist you can run against any switch in any environment.

The CLI demos use Cisco-style syntax as the most widely recognized illustration. The principles map cleanly to ALE OmniSwitch, Aruba CX, and Juniper EX; the dedicated vendor courses cover platform-specific syntax. Example VLAN schemes are illustrative — adapt to whatever scheme your customer already runs.

Course outline

PART 01

Why Harden

The threat model. What an attacker sees on an unhardened switch (tcpdump catching Telnet creds, nmap mapping the management plane). What production-ready actually means.

3 lessons
PART 02

Segmentation

VLAN separation for cameras, access control, management, and user networks. Access vs trunk discipline. The blackhole VLAN for unused ports. Example scheme to adapt. Includes a checkpoint.

3 lessons + checkpoint
PART 03

Management Plane

Out-of-band vs in-band. SSH and HTTPS, killing cleartext (Telnet, HTTP). AAA via RADIUS or TACACS+. Legal banners. The console-cable rule.

4 lessons
PART 04

Data Plane Protections

Port security with sticky MAC, BPDU guard / root guard / portfast, DHCP snooping, Dynamic ARP Inspection, storm control. The protections that catch the rogue user-installed mini-switch. Includes a checkpoint.

4 lessons + checkpoint
PART 05

Observability

Centralized syslog (TLS where supported), SNMP v3, and the NTP discipline that makes log correlation and evidentiary chain actually defendable.

3 lessons
PART 06

Operational Hardening

Firmware patching cadence, credential management, configuration backups. The habits that keep the hardening in place. Final checklist consolidates everything across vendors.

3 lessons + final assessment

Who this is for

  • Security integrators who deploy switches on physical security networks and want the hardening discipline before the platform-specific syntax.
  • IT generalists moving from workstation work to network deployment.
  • Practitioners studying CCNA, AOS-CX, JNCIA who want a vendor-neutral reinforcement of the security side.
  • Auditors and reviewers who want to understand what the integrator should be doing.

Course details

  • Level, Level 1 (beginner)
  • Length, ~80 minutes
  • Lessons, 20 across 6 parts
  • Knowledge checks, 8 total (2 per checkpoint, 4 in the final)
  • CLI animations, 8 scripts (tcpdump, nmap, port-security, BPDU guard, DHCP snooping, ntpq, syslog, SSH fingerprint)
  • Cost, Free
  • Author, Hans Study
  • Status, BETA

Ready to start?

The course opens at lesson 01 and steps through all 20 lessons in order. Use the prev / next buttons or arrow keys to move between lessons. Score is tracked on the bottom bar and a completion certificate appears at the end.

Open the course →