Switch Segmentation & Hardening

Configure VLAN segmentation, trunking, access port assignments, and enterprise-grade hardening to support a multi-VLAN OPNsense environment.

Tools Used

Steps Taken

  1. Created VLANs for all network segments (Management, Servers, Workstations, VirtualLab, IoT, Guest, AP Infrastructure, Blackhole, and reserved DMZ/VPN/Quarantine).
  2. Configured 802.1Q trunk uplink to OPNsense with VLAN 99 as the native VLAN.
  3. Assigned access ports to their respective VLANs (Gi1/0/1–26).
  4. Configured the management SVI on VLAN 10 with a static IP.
  5. Enabled PortFast and BPDU Guard on all access ports.
  6. Enabled storm control for broadcast, multicast, and unicast protection.
  7. Enabled LLDP for device visibility.
  8. Shut down unused ports (Gi1/0/27–47) and labeled them accordingly.
  9. Restricted SSH access to VLAN 10 only using an ACL.
  10. Disabled HTTP and enabled HTTPS for secure management.
  11. Saved configuration to startup-config.

Screenshot: VLAN Table

VLAN table output
Click to view full-size: VLAN table showing segmentation and port assignments.

Screenshot: Trunk Status

Trunk interface status
Click to view full-size: Trunk configuration on Gi1/0/48.

Screenshot: Interface Status

Interface status overview
Click to view full-size: Active ports, shutdown ports, and descriptions.

Screenshot: Management SVI

SVI status output
Click to view full-size: VLAN 10 SVI with management IP.

Screenshot: SSH Access Restriction

ACL restricting SSH access
Click to view full-size: MGMT_ONLY ACL applied to VTY lines.

Screenshot: Hardening Configuration

BPDU Guard, PortFast, storm control configuration
Click to view full-size: Hardening applied to access ports.

Network Diagram

Logical network diagram
Click to view full-size: Logical diagram of VLANs, switch, and OPNsense firewall.

Outcome

The switch is fully segmented and hardened, supporting a multi-VLAN architecture with secure management access, protected access ports, and a validated trunk to OPNsense. This establishes a strong foundation for subsequent labs involving DHCP, firewall rules, and inter-VLAN communication.