Introduction
The 11.6.4 module quiz - switch security configuration is a critical assessment that tests your understanding of hardening switches against common network threats. This quiz covers configuration best practices, authentication methods, port security, and defensive mechanisms that protect enterprise networks. Mastery of these concepts not only helps you pass the exam but also equips you with practical skills to secure real‑world infrastructures. In this article we will explore the key topics examined in the quiz, walk through step‑by‑step configuration procedures, explain the underlying security principles, answer frequently asked questions, and summarize the most important takeaways Worth knowing..
Key Topics Covered in the Quiz
The quiz typically focuses on the following domains:
- Port Security Fundamentals – limiting MAC addresses, violation actions, and sticky learning.
- 802.1X Authentication – integrating RADIUS servers, supplicant configurations, and supplicant‑aware switches.
- ACL (Access Control List) Implementation – restricting inbound and outbound traffic on specific ports.
- BPDU Guard and Loop Protection – preventing accidental topology changes that could lead to loops.
- Secure Management Interfaces – disabling unused services, enforcing SSH, and managing passwords.
Each of these areas is examined through multiple‑choice questions, scenario‑based items, and configuration‑drag‑and‑drop exercises that simulate real‑world switch setups.
Step‑by‑Step Configuration Guide
1. Enable Port Security
- Enter global configuration mode:
configure terminal. - Select the target interface:
interface GigabitEthernet0/1. - Activate port security:
switchport port-security. - Set the maximum number of allowed MAC addresses:
switchport port-security maximum 2. - Define the violation mode (e.g.,
shutdown,restrict, orprotect):switchport port-security violation shutdown. - Enable sticky learning to automatically add learned MAC addresses to the running configuration:
switchport port-security mac-address sticky.
2. Configure 802.1X Authentication
- Define a authentication server group:
dot1x system-auth-control dot1x port-control autoaaa authentication dot1x group radius server-group aaa authentication dot1x group radius server radius-server ``` 2. Enable 802.1X on the desired VLAN:
interface GigabitEthernet0/2 authentication port-control auto authentication server-group radius server-group ``` - Optionally, set a re‑authentication interval to force periodic credential checks:
dot1x re-authentication interval 60.
3. Implement ACLs for Restricted Traffic
- Create an extended ACL to block unauthorized protocols:
access-list 130 deny tcp any any eq 23 access-list 130 permit ip any any - Apply the ACL to the inbound direction on a specific interface:
interface GigabitEthernet0/3 ip access-group 130 in - Verify the ACL with
show access-listsand adjust as needed.
4. Enable BPDU Guard and Loop Guard 1. Activate BPDU guard on edge ports:
interface range GigabitEthernet0/1-10
spanning-tree bpduguard enable ```
2. Enable Loop Guard on non‑edge ports to protect against unidirectional links:
interface range GigabitEthernet0/11-24 spanning-tree loopguard default ```
5. Secure Management Access
- Disable unused services:
no ip http-server no cdp run - Enforce SSH for remote management: ```
ip ssh version 2
line vty 0 4
transport input ssh
login local
- Set a strong local username and secret:
username admin privilege 15 secret StrongP@ssw0rd! enable secret StrongP@ssw0rd2!
Scientific Explanation of Security Mechanisms
Understanding why each configuration matters deepens retention and promotes proactive troubleshooting.
-
Port Security works by limiting the number of MAC addresses that can appear on a switch port. When a device attempts to exceed this limit, the configured violation mode triggers, preventing unauthorized devices from gaining network access. This mitigates MAC flooding attacks and reduces the attack surface Not complicated — just consistent..
-
802.1X provides network access control (NAC) by authenticating each device before granting connectivity. It leverages EAP (Extensible Authentication Protocol) methods, which can incorporate certificates, passwords, or tokens. The use of a RADIUS server centralizes authentication, allowing for scalable policy enforcement and audit logging Not complicated — just consistent..
-
ACLs act as traffic filters that inspect packets against defined criteria (source/destination IP, protocol, port). By placing ACLs on inbound or outbound interfaces, you can block malicious protocols (e.g., Telnet) and permit only authorized traffic, thereby enforcing a defense‑in‑depth strategy.
-
BPDU Guard and Loop Guard protect against accidental topology changes. BPDU Guard shuts down ports that receive unexpected BPDUs, which often indicate a misconfigured downstream device. Loop Guard prevents a port from transitioning to a forwarding state if it stops receiving BPDUs, thus avoiding temporary loops during topology reconvergence. - Secure Management Access eliminates unnecessary services that could be exploited (e.g., HTTP, CDP). Switching to SSH encrypts management traffic, protecting credentials from eavesdropping. Strong local usernames and secrets further reduce the risk of unauthorized administrative access Easy to understand, harder to ignore. Surprisingly effective..
Frequently Asked Questions
Q1: Can port security be applied to trunk ports? A: Yes. Port security can be configured on trunk ports, but you must specify which VLANs are allowed to forward traffic. Use switchport trunk allowed vlan in combination with switchport port-security maximum to enforce per‑VLAN limits.
**Q2: What is the difference between `shutdown
Q2: What is the difference between shutdown and err-disable in port security violation modes?
A: The shutdown (default) violation mode immediately places the port into the error-disabled state, effectively cutting off all traffic on that interface. An alternative is restrict, which drops frames from offending MAC addresses but keeps the port operational, and protect, which simply drops violating frames without logging. In real terms, the err-disable mode produces the same result but is the explicit keyword used in modern IOS versions. For most production environments, shutdown paired with a recovery mechanism (such as err-disable timeout or EEM scripts) offers the strongest deterrent Small thing, real impact..
Q3: How do I verify that 802.1X is functioning correctly?
A: Use the following commands to validate the authentication process:
show authentication sessions
show authentication sessions interface GigabitEthernet0/1
show dot1x all
The output will display the supplicant status, authentication method, and whether the session is authorized. A "Success" status alongside the correct VLAN assignment confirms that the RADIUS server is properly reachable and the credentials are valid Still holds up..
Q4: Is it necessary to configure both BPDU Guard and Loop Guard on the same port?
A: Not always. BPDU Guard is typically applied on access ports where receiving a BPDU is unexpected, while Loop Guard is applied on ports that form part of a redundant path (root-facing or designated ports). Here's the thing — applying both on the same port is redundant and can cause unnecessary downtime if one of them triggers under benign conditions. Use BPDU Guard on access ports and Loop Guard on trunk or uplink ports for the most effective coverage Practical, not theoretical..
Q5: Can I use ACLs on a Layer 2 switch without routing enabled?
A: Yes. So vACLs are processed in hardware before the forwarding decision is made, so they do not require the switch to act as a router. Even without an SVI or inter-VLAN routing, you can apply ACLs on Layer 2 interfaces using VLAN-based ACLs (VACLs) or port-based ACLs. You can filter traffic within the same VLAN without enabling full Layer 3 functionality because of this Simple, but easy to overlook..
People argue about this. Here's where I land on it That's the part that actually makes a difference..
Q6: What is the recommended interval for rotating enable secrets and SSH keys?
A: Industry best practices suggest rotating authentication credentials and cryptographic keys at least every 90 days. On the flip side, for SSH, regenerate host keys using crypto key generate rsa modulus 2048 and update any trusted-host entries on management stations. For enable secrets, replace the password with a new one and verify that all automation tools and NMS platforms are updated accordingly to avoid service disruptions And it works..
This is where a lot of people lose the thread Simple, but easy to overlook..
Conclusion
Securing a Cisco Catalyst switch is not a one-time event but an ongoing discipline that combines layered configurations with continuous monitoring. By implementing port security, 802.1X authentication, carefully crafted ACLs, spanning-tree protection mechanisms, and hardened management access, you build a defense-in-depth posture that significantly raises the cost of an attack while lowering the probability of success And that's really what it comes down to..
The configurations outlined in this guide form a practical baseline that can be adapted to any network size or compliance requirement. Equally important is the understanding of the underlying science behind each mechanism—knowing how MAC address limiting, EAP exchanges, and BPDU processing work empowers network engineers to troubleshoot anomalies swiftly and to make informed decisions when scaling security policies.
Finally, security is only as strong as the processes that sustain it. On top of that, treat this guide as a living reference: revisit it whenever your network topology changes, new vulnerabilities are disclosed, or organizational policies evolve. Regular audits, credential rotation, firmware updates, and staff training make sure the technical controls remain effective against evolving threats. A well-maintained switch configuration is the foundation upon which every other security investment—whether firewalls, IDS, or zero-trust architecture—ultimately depends.
