Switch Security Configuration Essentials

Switch Security Configuration Essentials: An In‑Depth Guide

Securing a Cisco switch is a foundational skill for any network professional. From disabling unused ports to configuring port security, each step reduces the attack surface and protects critical assets. This course walks you through the most common security features, explains why they matter, and shows the exact CLI commands you need to implement them.

Disabling Unused Switch Ports

Why shut down idle interfaces?

Every physical port on a switch is a potential entry point for an attacker. If a port is not in use, leaving it in an up state creates a "soft" vulnerability that can be exploited with a simple plug‑in device. Disabling the port with the shutdown command ensures that no traffic can be sent or received, effectively turning the port into a dead end.

Command example:

interface range Gig0/1-24
 shutdown
 exit

By applying the command to a range, you can quickly secure an entire block of unused interfaces. Remember to document which ports are intentionally shut down so they can be re‑enabled when needed.

Port Security Fundamentals

Default Violation Mode

When you enable port security on a Cisco switch, the default violation action is shutdown. This means that if a security breach is detected—such as a MAC address exceeding the allowed limit—the port is placed into the error‑disabled state and stops forwarding traffic until an administrator intervenes.

Understanding the default behavior helps you decide whether you need to change it to protect or restrict for less disruptive environments.

Configuring the Maximum Number of Secure MAC Addresses

The switchport port-security maximum command defines how many MAC addresses a port can learn securely. Setting this limit prevents rogue devices from flooding the MAC address table.

Example to allow up to four secure MACs:

interface Gig0/5
 switchport mode access
 switchport port-security
 switchport port-security maximum 4
 exit

When the limit is reached, any additional MAC address triggers the configured violation mode.

Sticky MAC Addresses

Sticky MAC learning combines the flexibility of dynamic learning with the persistence of static configuration. When you enable switchport port-security mac-address sticky, the switch automatically adds learned MAC addresses to the running configuration. These addresses survive a reload if you save the configuration, providing a convenient way to lock down a port without manually typing each MAC.

Command sequence:

interface Gig0/10
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 exit

Sticky entries are especially useful in environments with a known set of devices, such as a conference room or a dedicated workstation.

Global PortFast Configuration

What is PortFast?

PortFast is a spanning‑tree optimization that moves an access port directly to the forwarding state, bypassing the usual listening and learning phases. This reduces the time it takes for end‑devices to obtain network connectivity, which is critical for servers, VoIP phones, and other latency‑sensitive equipment.

To enable PortFast on **all** access ports with a single global command, use:

spanning-tree portfast default

This command automatically applies PortFast to any interface configured as switchport mode access. It is a best practice to combine PortFast with BPDU Guard to protect against accidental loops.

BPDU Guard: Protecting Access Ports from Spanning‑Tree Attacks

How BPDU Guard Works

BPDU Guard monitors an access port for incoming Bridge Protocol Data Units (BPDUs). If a BPDU is detected—indicating that the port is connected to another switch—the port is immediately placed into the error‑disabled state. This prevents rogue switches from participating in the spanning‑tree topology and potentially causing loops.

Effect of a BPDU on a guarded port: the port transitions to an error‑disabled state, logs the violation, and stops forwarding traffic until an administrator re‑enables it.

Enable BPDU Guard globally on all access ports with:

spanning-tree portfast default
 spanning-tree bpduguard enable

Or apply it per‑interface for finer control.

VLAN Hopping Mitigation

Disabling DTP on Trunk Ports

Dynamic Trunking Protocol (DTP) can be abused by attackers to negotiate a trunk link and gain access to multiple VLANs. The recommended mitigation is to disable DTP on ports that should remain static trunks.

Use the switchport nonegotiate command on each trunk interface:

interface Gig0/24
 switchport mode trunk
 switchport nonegotiate
 exit

This forces the port to operate as a static trunk, eliminating the DTP negotiation process and reducing the risk of VLAN hopping attacks.

Aging Types for Secure MAC Addresses

Absolute vs. Inactivity Aging

Secure MAC address entries can be aged out to free up space for new devices. Two aging methods exist:

• Inactivity aging – the address is removed only after it has been idle for the configured time.
• Absolute aging – the address is deleted after a fixed period, regardless of whether it is still active.

When you configure switchport port-security aging time 30 absolute, the switch will purge the secure MAC entry after 30 minutes even if the device continues to send traffic. This is useful in environments where you want to enforce strict rotation of devices.

Comprehensive Review Quiz

Test your knowledge with the following questions. Review the explanations above to confirm each answer.

1. Which command disables an unused switch port to prevent unauthorized access?
   Answer: interface range Gig0/1-24; shutdown
2. What is the default violation mode for port security on a Cisco switch?
   Answer: shutdown
3. When configuring port security, which type of MAC address learning allows the address to be saved to the running configuration?
   Answer: Dynamically Learned – Sticky
4. Which command globally enables PortFast on all access ports?
   Answer: spanning-tree portfast default
5. What is the effect of enabling BPDU Guard on an access port that receives a BPDU?
   Answer: The port transitions to error‑disabled state.
6. Which VLAN hopping mitigation step disables DTP on trunk ports?
   Answer: switchport nonegotiate
7. What does the 'absolute' aging type do for secure MAC addresses?
   Answer: Deletes addresses after the specified time regardless of activity.
8. Which command sets the maximum number of secure MAC addresses on a port to 4?
   Answer: switchport port-security maximum 4

By mastering these commands and concepts, you will be equipped to harden Cisco switches against common threats, maintain compliance, and ensure reliable network performance.