Version 4.1 - 6.2 Switch security features
The information for this section can be found in a few places (versus the convenient one-site router hardening). The first doc that I found for this is Layer 2 Security Features on Catalyst L3 Switches. This doc covers CAM Table Overflow, MAC Address Spoofing, ARP Spoofing and DHCP Starvation. It also covers Port Security, DHCP Snooping, DAI (Dynamic Arp Inspection) and IP Source Guard.
Another doc is the Cat 2960-X Switch Security Configuration Guide, which covers Storm Control, Protected Ports, Port Blocking, Port Security and Protocol Storm Protection. Port Security should be something you know inside out.
Protocol Storm Protection
When a switch is flooded with Address Resolution Protocol (ARP) or control packets, high CPU utilization can cause the CPU to overload. These issues can occur:
+++ Routing protocol can flap because the protocol control packets are not received, and neighboring adjacencies are dropped.
+++ Spanning Tree Protocol (STP) reconverges because the STP bridge protocol data unit (BPDU) cannot be sent or received.
+++ CLI is slow or unresponsive.
Using protocol storm protection, you can control the rate at which control packets are sent to the switch by specifying the upper threshold for the packet flow rate. The supported protocols are ARP, ARP snooping, Dynamic Host Configuration Protocol (DHCP) v4, DHCP snooping, Internet Group Management Protocol (IGMP), and IGMP snooping.
Another helpful site is Network Security Baseline - Switching Infrastructure. This site covers Restricting Broadcast Domains, STP Security and VLAN Best Common Practices.
In addition to the TrustSec material mentioned in previous sections, you may also want to check out Cisco's TrustSec 3.0 How-To Guide: Introduction to MACSec and NDAC.
And although discussed previously, here's another Cisco doc - NEAT Configuration Example with Cisco ISE.
Although there are multiple sites needed to gather this information together, I think that covers all the topics referred to by this section. Fortunately most of these elements have been included in the R/S track, so I know this pretty thoroughly. The TrustSec information was something included in the SISAS material - so that's pretty solid and fresh in my mind.