Introduction
Switch security configuration applies practical protections against common Layer 2 attacks. This module focuses on unused ports, port security, VLAN attack mitigation, DHCP snooping, Dynamic ARP Inspection, and STP protections.
Learning Goals
By the end of this module, you should be able to:
- Secure unused switch ports.
- Configure and verify port security.
- Explain sticky MAC learning and violation modes.
- Mitigate VLAN hopping attacks.
- Configure DHCP snooping.
- Configure Dynamic ARP Inspection.
- Configure PortFast and BPDU Guard on edge ports.
Secure Unused Ports
Unused switch ports should not remain open. A common best practice is to place unused ports into an unused VLAN, disable them, and add a description.
Activity: Shut Down Unused Ports
Port Security Overview
Port security limits which MAC addresses can use a switch port. It helps reduce MAC flooding and unauthorized device connections.
Port security can learn MAC addresses in several ways:
- manually configured secure MAC addresses,
- dynamically learned secure MAC addresses,
- sticky learned MAC addresses saved into the running configuration.
Port security is configured on access ports, not dynamic trunk ports.
Activity: Configure Basic Port Security
Port Security Violation Modes
When a violation occurs, the switch can respond in different ways.
| Mode | Behavior |
|---|---|
| Protect | Drops unauthorized traffic without logging much detail. |
| Restrict | Drops unauthorized traffic and can increment counters/log events. |
| Shutdown | Places the port into an error-disabled state. This is commonly used for strict protection. |
Port Security Aging
Port security aging removes learned secure MAC addresses after a timer. Aging can be absolute or inactivity-based depending on configuration. This is useful when devices are expected to change, but it should be used carefully in secure environments.
Activity: Configure Port Security Aging
Recovering an Error-Disabled Port
If a port enters an error-disabled state, investigate the cause before re-enabling it. After correcting the problem, use shutdown and no shutdown on the interface or configure automatic recovery if appropriate.
Activity: Verify and Recover Port Security
Mitigate VLAN Hopping
To reduce VLAN hopping risk:
- Manually configure user ports as access ports.
- Disable trunk negotiation on ports that should not trunk.
- Use an unused VLAN as the native VLAN.
- Avoid carrying the native VLAN as a user VLAN.
- Limit allowed VLANs on trunks.
Activity: Harden Access and Trunk Ports
DHCP Snooping
DHCP snooping protects against rogue DHCP servers and helps build a trusted binding table of MAC address, IP address, VLAN, and port information.
Ports are classified as:
- trusted: usually uplinks toward legitimate DHCP servers,
- untrusted: usually user-facing access ports.
DHCP server messages arriving on untrusted ports are dropped.
Activity: Configure DHCP Snooping
Dynamic ARP Inspection
Dynamic ARP Inspection checks ARP packets against trusted information, often from the DHCP snooping binding table. It helps stop ARP poisoning by dropping invalid ARP messages on untrusted ports.
DAI requires careful configuration. If bindings are missing for statically addressed hosts, valid ARP traffic may be dropped unless entries or ACLs are configured.
Activity: Configure Dynamic ARP Inspection
Mitigate STP Attacks
Use PortFast on access ports connected to end devices, and BPDU Guard to disable an edge port if it receives BPDUs unexpectedly.
Activity: Configure PortFast and BPDU Guard
Summary
Switch hardening reduces common Layer 2 risks. Disable unused ports, use port security, control trunking, enable DHCP snooping, protect ARP with DAI, and secure edge ports with PortFast and BPDU Guard.