11.6.4 Module Quiz – Switch Security Configuration
Switch security configuration is a cornerstone of modern network design. With the proliferation of mobile devices, cloud services, and IoT endpoints, an attacker’s first foothold is often a compromised port on a switch. The 11.And 6. That's why 4 module quiz focuses on the practical aspects of securing switch ports, MAC address tables, and VLAN segregation. Below is a thorough look that walks through the key concepts, configuration steps, and best practices that will help you master this topic and ace the quiz It's one of those things that adds up..
Introduction
Switches are the backbone of any enterprise LAN, yet they are also a prime target for attackers. In practice, a misconfigured port can let an intruder inject traffic, sniff sensitive data, or launch a denial‑of‑service attack. That's why the 11. 6.4 quiz tests your understanding of port security, VLAN protection, dynamic ARP inspection, and secure management access. By mastering these concepts, you’ll not only pass the quiz but also secure your network for real‑world threats.
1. Port Security Fundamentals
1.1 What Is Port Security?
Port security limits which devices can connect to a switch port. It can:
- Restrict the number of MAC addresses per port
- Enforce static or dynamic MAC address binding
- Define actions (shutdown, restrict, or protect) when violations occur
1.2 Key Configuration Commands
| Feature | Command | Example |
|---|---|---|
| Enable port security | switchport port-security |
switchport port-security |
| Maximum MAC addresses | switchport port-security maximum <n> |
switchport port-security maximum 2 |
| Violation mode | `switchport port-security violation {shutdown | restrict |
| Static MAC | switchport port-security mac-address <mac> |
switchport port-security mac-address 00a0.c6b0.3f45 |
| Dynamic sticky | switchport port-security mac-address sticky |
switchport port-security mac-address sticky |
1.3 Violation Modes Explained
| Mode | Action | Use Case |
|---|---|---|
| Shutdown | Port is disabled; requires manual re‑enable | High‑risk environments |
| Restrict | Port remains up but drops packets from unauthorized MACs | Balanced security vs. availability |
| Protect | Port stays up and silently drops offending packets | Least disruptive, but less visible |
2. VLAN Segmentation and Security
2.1 Why VLANs Matter
VLANs isolate broadcast domains, limiting the spread of traffic. Proper VLAN design prevents lateral movement by attackers Small thing, real impact..
2.2 Common VLAN Misconfigurations
- VLAN hopping: When a port is misconfigured to allow two VLAN tags.
- Trunk mis‑trunking: Allowing all VLANs on a trunk without filtering.
- Native VLAN mismatch: Different native VLANs on connected switches can lead to data leakage.
2.3 Secure Trunk Configuration
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20,30
switchport trunk native vlan 99
- Only allow necessary VLANs (
allowed vlan) - Set a unique native VLAN (
native vlan) to avoid untagged traffic leakage.
3. Dynamic ARP Inspection (DAI)
3.1 What Is DAI?
DAI validates ARP packets against a trusted database (typically DHCP snooping bindings) to prevent ARP spoofing.
3.2 Enabling DAI
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10
ip dhcp snooping limit rate 5
ip arp inspection vlan 10,20,30
ip dhcp snooping limit rate: Prevents DHCP starvation.ip arp inspection vlan: Activates DAI on specified VLANs.
3.3 Common Pitfalls
- Forgetting to enable DHCP snooping on all ports that receive DHCP.
- Allowing all VLANs on a trunk without DAI filtering.
- Not configuring the correct native VLAN.
4. Secure Management Access
4.1 SSH vs. Telnet
Telnet transmits credentials in plain text, while SSH encrypts traffic. Always disable Telnet on switches The details matter here..
line vty 0 4
transport input ssh
login local
4.2 AAA Configuration
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa accounting exec default start-stop group radius
- Local authentication for simplicity.
- RADIUS/TACACS+ for centralized policy enforcement.
4.3 SNMP Security
snmp-server community public RO
snmp-server community private RW
Replace community strings with secure, unique values. Prefer SNMPv3 with authentication and encryption.
5. Practical Configuration Checklist
-
Port Security
- Enable on all access ports.
- Set a maximum of 1–2 MAC addresses.
- Choose shutdown or restrict based on risk tolerance.
-
VLAN Design
- Keep VLANs logical and minimal.
- Use private VLANs for sensitive segments.
-
Dynamic ARP Inspection
- Enable on all VLANs that carry untrusted traffic.
- Pair with DHCP snooping.
-
Management Access
- Disable Telnet.
- Use SSH with strong key‑based authentication.
- Enforce AAA and SNMPv3.
-
Logging & Monitoring
- Configure syslog to a remote server.
- Use SNMP traps for critical events.
6. Sample Quiz Questions (Practice)
-
What command enables port security on an interface?
- A)
switchport mode access - B)
switchport port-security - C)
switchport trunk allowed vlan - D)
switchport access vlan
- A)
-
Which violation mode drops packets but keeps the port up?
- A) shutdown
- B) restrict
- C) protect
- D) none of the above
-
True or False: Dynamic ARP Inspection works without DHCP snooping.
- A) True
- B) False
-
Which command sets a unique native VLAN on a trunk?
- A)
switchport trunk native vlan 99 - B)
switchport trunk allowed vlan 99 - C)
switchport trunk encapsulation 99 - D)
switchport trunk mode 99
- A)
-
To disable Telnet and enable SSH on vty lines, which commands are required?
- A)
line vty 0 4,transport input telnet,login local - B)
line vty 0 4,transport input ssh,login local - C)
line vty 0 4,transport input ssh,login local,transport input telnet - D)
line vty 0 4,transport input all,login local
- A)
7. Common Mistakes to Avoid
| Mistake | Consequence | Fix |
|---|---|---|
Leaving switchport port-security disabled |
Unrestricted MACs, potential rogue devices | Enable on all access ports |
Setting maximum 0 |
No devices can connect | Set to appropriate number |
Using protect mode in a high‑risk environment |
Undetected attacks | Switch to restrict or shutdown |
Forgetting to configure ip dhcp snooping |
DAI fails, ARP spoofing possible | Enable DHCP snooping on all relevant ports |
| Leaving Telnet enabled | Credentials exposed | Disable Telnet and enable SSH |
This is the bit that actually matters in practice Simple as that..
8. Advanced Topics
8.1 MAC Address Aging
Switches automatically age out inactive MAC entries. Configure aging time to balance between security and performance.
mac address-table aging-time 300
8.2 Sticky MAC Addresses
Sticky MACs allow the switch to learn a device’s MAC address and store it in the running config Practical, not theoretical..
switchport port-security mac-address sticky
This is useful for temporary devices but can lead to stale entries if not managed.
8.3 Private VLANs (PVLANs)
PVLANs isolate ports within the same VLAN, preventing direct communication between them while still allowing communication with a promiscuous port (often a router or firewall).
vlan 100
private-vlan primary
private-vlan association 101
9. FAQ
| Question | Answer |
|---|---|
| **Can I use port security on trunk ports?Worth adding: | |
| **Does DAI work on all switch models? ** | At least weekly; more frequent if you detect unusual activity. Now, ** |
| Is it safe to use a single VLAN for all devices? | Yes, but it’s rare. Typically applied to access ports. |
| **What happens if a violation occurs in shutdown mode?Still, ** | Most modern switches support it, but check the device’s documentation. ** |
| **How often should I review port security logs?Segmentation reduces blast radius and improves security. |
Conclusion
Securing a switch is more than just a set of commands; it’s a strategic approach to protecting network traffic, preventing unauthorized access, and maintaining operational integrity. By mastering port security, VLAN design, dynamic ARP inspection, and secure management access, you’ll be well‑prepared for the 11.6.4 module quiz and, more importantly, for real‑world network defense. Remember to review your configurations regularly, keep firmware updated, and stay vigilant against emerging threats. Happy configuring!
All in all, mastering these techniques ensures solid network resilience, fostering a secure environment that adaptable to evolving threats. Worth adding: continuous adaptation and vigilance remain important, ensuring alignment with organizational goals. Think about it: strategic implementation harmonizes technical precision with practicality, reinforcing trust in network infrastructure. Through such efforts, organizations uphold their commitment to safety and efficiency, solidifying their position as guardians of digital integrity.
