Scenarios & Selection
Chapter 3 — Core Switch Security Hardening Design Guide
Core switch security hardening is not a one-size-fits-all discipline. The appropriate depth, scope, and specific controls depend heavily on the deployment scenario—the network type, business criticality, regulatory environment, threat model, and operational constraints. This chapter presents eight representative deployment scenarios, each with a real-world context, key technical parameters, selection criteria, and recommended hardening profile. Understanding which scenario most closely matches your environment is the first step in scoping the hardening effort correctly.
Each scenario is characterized by a set of primary technical indicators: throughput requirements, redundancy model, routing protocol complexity, management model, compliance requirements, and the dominant threat vectors. These indicators drive the selection of hardening depth (Baseline, Enhanced, or Advanced) and the prioritization of specific controls within each hardening domain.
Scenario 1: Hyperscale Data Center Core
Scenario Description
Large-scale data center environments operating spine-leaf or core/aggregation topologies with modular chassis switches (e.g., 400G/800G-capable platforms). These environments typically run BGP as the underlay routing protocol with ECMP for load balancing, and may use VXLAN/EVPN for overlay segmentation. The primary security concerns are control plane stability under high-volume traffic conditions, unauthorized management access, and configuration drift across large device counts.
| Technical Indicator | Specification |
|---|---|
| Switching Capacity | 400 Tbps+ per chassis; 400G/800G interfaces |
| Routing Protocol | BGP (iBGP/eBGP), ECMP, VXLAN/EVPN overlay |
| Redundancy Model | Dual spine planes; MLAG or multi-chassis LAG to leaf |
| Management Model | Dedicated OOB network; automation-driven config management (Ansible/Terraform) |
| CoPP Priority | BGP session protection; BFD stability; ICMP rate limiting |
| Compliance | SOC 2, ISO 27001, internal security policy |
| Hardening Profile | Enhanced to Advanced; GitOps config management; streaming telemetry |
| Primary Threat Vectors | BGP route injection, control plane flooding, unauthorized API access, config drift |
Scenario 2: Enterprise Campus Core
Scenario Description
University or enterprise campus networks with a collapsed or dual-core design, aggregating building distribution switches and providing L3 gateway services for campus VLANs. These environments typically run OSPF or EIGRP as the routing protocol, with STP for L2 redundancy at the distribution layer. The primary security concerns are unauthorized VLAN access, STP topology manipulation, rogue DHCP servers, and management access from campus workstations.
| Technical Indicator | Specification |
|---|---|
| Switching Capacity | 10–100 Tbps; 10G/25G/100G uplinks |
| Routing Protocol | OSPF or EIGRP; SVI-based L3 gateway for campus VLANs |
| Redundancy Model | Dual core with MLAG or VSS/VSF stacking |
| Management Model | OOB or dedicated management VLAN; jump host preferred |
| L2 Hardening Priority | BPDU Guard, Root Guard, DHCP Snooping, DAI on all access-facing trunks |
| Compliance | Internal IT policy; FERPA (education); NIST CSF |
| Hardening Profile | Baseline to Enhanced; focus on L2 protections and AAA |
| Primary Threat Vectors | Rogue switch insertion, ARP spoofing, unauthorized VLAN access, management plane exposure |
Scenario 3: Financial Services Critical Business Network
Scenario Description
Banking, trading, or financial services environments where network availability directly impacts revenue and regulatory compliance. These environments require the highest levels of redundancy, the most stringent access controls, and comprehensive audit trails. Every configuration change must be approved, logged, and reversible. The primary security concerns are unauthorized access, configuration tampering, and any control plane disruption that could affect trading systems or payment processing.
| Technical Indicator | Specification |
|---|---|
| Availability Target | 99.999% (five nines); <1 minute annual downtime |
| Redundancy Model | Dual active/active core; dual power feeds from separate PDUs; dual supervisors |
| Change Management | 4-eyes approval; maintenance window required; automated rollback on failure |
| AAA Requirement | TACACS+ with command authorization; MFA mandatory; session recording |
| Audit Requirements | All commands logged; config change alerts to SOC; 12-month log retention |
| Compliance | PCI-DSS, SOX, SWIFT CSP, local financial regulator requirements |
| Hardening Profile | Advanced; all eight domains at maximum depth; quarterly penetration testing |
| Primary Threat Vectors | Insider threat, supply chain compromise, APT targeting financial infrastructure |
Scenario 4: Government and Critical Infrastructure
Scenario Description
Government agencies, defense networks, and critical national infrastructure (CNI) operators where network security is a national security matter. These environments may require TEMPEST-rated equipment, air-gap segments, physical port blocking, and compliance with government-specific security frameworks. The hardening baseline must align with graded protection requirements and may require formal security assessment and certification.
| Technical Indicator | Specification |
|---|---|
| Physical Security | Biometric access, CCTV, tamper-evident seals, port blockers, cable locks |
| Network Segmentation | Hard air gaps or one-way data diodes between classification levels |
| Cryptographic Requirements | Government-approved algorithms; MACsec for sensitive links; PKI with government CA |
| Management Model | Dedicated classified management network; no internet-connected management paths |
| Audit Requirements | Real-time SIEM with government-approved platform; immutable log storage; chain of custody |
| Compliance | MLPS (China), FISMA/FedRAMP (US), NCSC Cyber Essentials Plus (UK), ISO 27001 |
| Hardening Profile | Advanced + government-specific controls; formal security assessment required |
| Primary Threat Vectors | Nation-state APT, insider threat, supply chain compromise, physical tampering |
Scenario 5: Manufacturing and Industrial OT/IT Convergence
Scenario Description
Smart manufacturing environments where IT and OT networks are converging to enable Industry 4.0 capabilities. The core switch sits at the IT/OT boundary, enforcing strict segmentation between the production network (SCADA, PLCs, industrial controllers) and the enterprise IT network. Any security failure at this boundary can impact production safety, product quality, and regulatory compliance for industrial control systems.
| Technical Indicator | Specification |
|---|---|
| Segmentation Model | Strict VLAN/VRF separation between OT and IT; firewall at demarcation zone |
| OT Protocol Awareness | Deep packet inspection for Modbus/DNP3/EtherNet/IP at demarcation firewall |
| Availability Priority | Production continuity over security patching; maintenance windows aligned with production schedules |
| Change Management | Extended approval process; OT safety review required for any change affecting production VLANs |
| Monitoring | Separate OT security monitoring (Claroty/Dragos/Nozomi) integrated with IT SIEM |
| Compliance | IEC 62443, NERC CIP (energy sector), ISA/IEC standards |
| Hardening Profile | Enhanced; focus on segmentation enforcement and change management rigor |
| Primary Threat Vectors | Lateral movement from IT to OT, ransomware targeting production systems, supply chain attacks |
Scenario 6: Healthcare Network
Scenario Description
Hospital and healthcare system networks connecting clinical systems (PACS, EMR, medical devices, infusion pumps) with administrative and guest networks. Patient data protection and medical device availability are the primary concerns. The core switch must enforce strict segmentation between clinical, administrative, and guest networks while maintaining the high availability required for life-critical systems. Medical device networks often cannot be patched or hardened directly, making the core switch the primary enforcement point.
| Technical Indicator | Specification |
|---|---|
| Network Segmentation | Separate VLANs/VRFs for clinical, administrative, guest, and medical device networks |
| Medical Device Constraints | Many devices cannot be patched; core switch ACLs provide compensating controls |
| Availability Priority | Clinical network availability is life-critical; security changes require clinical impact assessment |
| Wireless Integration | Medical-grade wireless (802.11ax) with separate SSIDs per network segment |
| Audit Requirements | PHI access logging; 6-year log retention; breach notification capability |
| Compliance | HIPAA/HITECH, NIST SP 800-66, FDA cybersecurity guidance for medical devices |
| Hardening Profile | Enhanced; focus on segmentation, access control, and PHI audit trail |
| Primary Threat Vectors | Ransomware targeting clinical systems, medical device exploitation, PHI exfiltration |
Scenario 7: Cloud Service Provider / Multi-Tenant Data Center
Scenario Description
Colocation facilities and cloud service providers hosting multiple customers on shared infrastructure. The core switch must enforce strict tenant isolation using VRF, VLAN, and ACL controls while providing high-performance forwarding for all tenants simultaneously. Any security failure that allows cross-tenant traffic leakage is a critical incident with contractual and regulatory consequences. The management plane must be strictly isolated from tenant networks.
| Technical Indicator | Specification |
|---|---|
| Tenant Isolation | Per-tenant VRF with no route leakage; ACL enforcement at all tenant handoff points |
| Routing Scale | Full Internet routing table (900K+ routes) for transit/peering tenants; TCAM planning critical |
| BGP Security | BGP RPKI for route origin validation; prefix filtering; GTSM on eBGP sessions |
| Management Isolation | Management VRF completely isolated from all tenant VRFs; no route leakage possible |
| Audit Requirements | Per-tenant security event logging; tenant-accessible compliance reports; SLA evidence |
| Compliance | SOC 2 Type II, ISO 27001, PCI-DSS (for payment-processing tenants), CSA STAR |
| Hardening Profile | Advanced; focus on tenant isolation verification and BGP security |
| Primary Threat Vectors | Cross-tenant traffic leakage, BGP route hijacking, management plane compromise affecting all tenants |
Scenario 8: WAN Hub and Branch Aggregation
Scenario Description
Enterprise WAN hub sites or regional headquarters where the core switch aggregates multiple WAN links (MPLS, SD-WAN, internet) and provides routing to branch offices. These environments face unique security challenges because the WAN interfaces are exposed to provider networks and potentially the internet, making BGP security, prefix filtering, and control plane protection especially critical. The OOB management path is particularly important because WAN link failures can isolate the device from in-band management.
| Technical Indicator | Specification |
|---|---|
| WAN Link Types | MPLS (primary), SD-WAN (secondary), internet (tertiary/backup) |
| Routing Protocol | BGP for WAN; OSPF/EIGRP for LAN; route redistribution with prefix filtering |
| BGP Security | MD5/SHA authentication on all BGP sessions; prefix filtering; max-prefix limits |
| OOB Management | 4G/LTE OOB management for emergency access when all WAN links fail |
| CoPP Priority | BGP session protection; prevent CPU exhaustion from WAN-sourced traffic |
| Compliance | Internal IT policy; industry-specific requirements for branch operations |
| Hardening Profile | Enhanced; focus on BGP security, WAN interface hardening, and OOB management |
| Primary Threat Vectors | BGP route injection from provider, WAN-sourced control plane attacks, management lockout during WAN failure |
3.9 Scenario-to-Hardening Profile Mapping
The following table provides a consolidated mapping from deployment scenario to recommended hardening profile, priority domains, and key selection criteria. Use this table as a starting point for scoping the hardening effort for your specific environment.
| Scenario | Hardening Profile | Priority Domains | Key Selection Criteria |
|---|---|---|---|
| Hyperscale Data Center | Enhanced–Advanced | CoPP, Config Lifecycle, HA Consistency | BGP scale, automation integration, streaming telemetry |
| Enterprise Campus | Baseline–Enhanced | L2 Hardening, AAA, Mgmt Access | VLAN count, STP topology, user density |
| Financial Services | Advanced | All 8 domains at maximum depth | Availability SLA, compliance framework, audit requirements |
| Government/CNI | Advanced + Gov-specific | Physical security, Cryptography, Segmentation | Classification level, government framework, formal assessment |
| Manufacturing OT/IT | Enhanced | Segmentation, Change Management, OT awareness | OT protocol types, production impact tolerance, IEC 62443 |
| Healthcare | Enhanced | Segmentation, Access Control, PHI Audit | Medical device constraints, HIPAA requirements, clinical impact |
| Cloud/Multi-Tenant | Advanced | Tenant Isolation, BGP Security, Mgmt Isolation | Tenant count, routing scale, SLA requirements |
| WAN Hub/Branch | Enhanced | BGP Security, CoPP, OOB Management | WAN link types, branch count, OOB availability |