Ever tried to crack open a switch’s security settings only to find yourself staring at a wall of commands you don’t even recognize?
That moment when the “module quiz – 11.6.4” pops up on your screen and you realize the exam is testing more than just rote memorization. It’s testing whether you actually know how to lock down a switch so the network stays safe, even when the unexpected happens Most people skip this — try not to. Turns out it matters..
Below is the guide that pulls together everything you need to ace that quiz and, more importantly, to walk away with a configuration you can trust in the real world.
What Is the 11.6.4 Module Quiz – Switch Security Configuration?
In plain English, the “11.6.4 module quiz” is a checkpoint in many networking certification tracks (think CCNA, CCNP, or vendor‑specific curricula) that zeroes in on switch security. The number isn’t random—it maps to the chapter in the official textbook where the author walks through securing a layer‑2 device And it works..
So when the exam asks you to “configure switch security,” it isn’t just looking for a single command. It wants you to demonstrate a holistic approach: port security, VLAN hardening, control‑plane policing, and a few hidden gems that keep rogue devices from taking over the LAN.
Think of it like a kitchen safety test. You could just remember to turn off the stove, but the instructor really wants to see you lock the gas valve, wear gloves, and keep a fire extinguisher handy. Same idea here—multiple layers, each covering a different threat vector That's the part that actually makes a difference..
Why It Matters / Why People Care
Network breaches start at the edge. A single compromised switch port can give an attacker a foothold, let them sniff traffic, or even launch a man‑in‑the‑middle attack across the entire campus Most people skip this — try not to. Still holds up..
Real‑world example: In 2022 a major university suffered a data leak because an unsecured switch port in a dorm allowed a student to plug in a rogue device. The breach went unnoticed for weeks, and sensitive research data was exfiltrated.
If you understand the security knobs covered in 11.6.4, you can:
- Stop unauthorized devices from gaining network access.
- Contain VLAN hopping attempts that try to jump across logical boundaries.
- Protect the control plane from DoS attacks that could bring the whole switch down.
In practice, the difference between a “good enough” configuration and a truly hardened one is the gap between a network that stays online during a targeted attack and one that crashes under a simple mis‑plug But it adds up..
How It Works (or How to Do It)
Below is the step‑by‑step playbook you’ll use on a Cisco IOS switch. The concepts translate to other vendors, but the command syntax is Cisco‑centric because that’s what most 11.6.4 labs use That's the whole idea..
1. Secure the Management Plane
Before you even touch the data ports, lock down how you get into the switch.
! Enable local authentication
username admin secret StrongP@ssw0rd
! Use AAA for centralized control (RADIUS/TACACS+)
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
Restrict VTY access to trusted IPs
line vty 0 4
transport input ssh
access-class 10 in
!
Now, ip access-list standard 10
permit 192. In real terms, 168. Plus, 10. On the flip side, 0 0. 0.0.
*Why this matters:* If an attacker can telnet in, everything else is moot. SSH + AAA + ACLs give you a solid first line.
### 2. Harden the Control Plane
The control plane is the brain of the switch. Unchecked traffic can flood it and make the device unresponsive.
```bash
! Create a class-map for control‑plane traffic
class-map match-any CP-TRAFFIC
match protocol bgp
match protocol ospf
match access-group name CP-ACL
! Define a police policy (rate‑limit to 10 Mbps, burst 2 MB)
policy-map CP-POLICY
class CP-TRAFFIC
police 10000000 2000000 conform-action transmit exceed-action drop
! Apply to the control plane
control-plane
service-policy input CP-POLICY
Real talk: Most people skip this step because they think “the control plane only talks to routers.” Wrong. A rogue host can flood CDP, LLDP, or even ARP and bring the switch to its knees.
3. Enable Port Security
Port security is the bread‑and‑butter of 11.6.So 4. It limits how many MAC addresses can appear on a port and what happens when the limit is exceeded That's the part that actually makes a difference..
interface range GigabitEthernet1/0/1-24
switchport mode access
switchport access vlan 10
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree bpdufilter enable
!
! Enable port security
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation restrict
!
! Optional: set a static MAC for critical devices
switchport port-security mac-address 00AA.BBCC.DDEE
Key points:
- Maximum 2 lets you accommodate a laptop + a phone but blocks a third device.
- Sticky MAC writes the learned address to the running config, so it survives a reboot.
- Violation restrict drops offending frames but still logs the event—useful for forensic follow‑up.
4. Harden VLANs and Trunk Ports
A lot of attacks happen by slipping onto a trunk and sniffing all VLANs.
! Disable unused VLANs
vlan 100
name UNUSED_VLAN
shutdown
! Secure trunk ports
interface GigabitEthernet1/0/25
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20,30
spanning-tree portfast trunk
spanning-tree bpduguard enable
!
! Enable DTP pruning (if supported)
switchport trunk pruning vlan 10,20,30
Why you care: By explicitly listing allowed VLANs, you prevent a rogue device from advertising a VLAN that doesn’t exist on the core.
5. Deploy DHCP Snooping & Dynamic ARP Inspection (DAI)
If you run DHCP on the LAN, these two features stop a malicious host from handing out fake IPs or ARP replies.
! DHCP snooping
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
interface range GigabitEthernet1/0/1-24
ip dhcp snooping limit rate 100
interface GigabitEthernet1/0/25
ip dhcp snooping trust
! DAI
ip arp inspection vlan 10,20,30
interface range GigabitEthernet1/0/1-24
ip arp inspection limit rate 50
interface GigabitEthernet1/0/25
ip arp inspection trust
Turns out a simple ARP spoof can let an attacker hijack traffic from an entire floor. DAI catches that before it spreads.
6. Enable Storm Control
Broadcast storms can cripple a switch in seconds The details matter here..
interface range GigabitEthernet1/0/1-24
storm-control broadcast level 30.00 40.00
storm-control action shutdown
What most people miss: The “shutdown” action actually disables the port when the threshold is crossed, preventing the storm from propagating.
7. Save and Verify
Never assume your changes are live That's the part that actually makes a difference..
write memory
show running-config | include security
show port-security interface GigabitEthernet1/0/1
show control-plane police
show ip dhcp snooping
show arp inspection
If any of those commands return “no such command,” you’re probably on an older IOS that needs a feature license. That’s a whole other rabbit hole, but worth noting It's one of those things that adds up..
Common Mistakes / What Most People Get Wrong
-
Leaving VTP or CDP enabled on edge ports.
Those protocols broadcast topology info that a rogue device can harvest. Turn them off withno cdp enableandno vtp enableon access ports. -
Using “protect” instead of “restrict” for port‑security violations.
“Protect” silently drops frames and never logs. “Restrict” drops and logs, giving you an audit trail. -
Forgetting to trust the uplink on DHCP snooping/DAI.
If the uplink isn’t trusted, legitimate DHCP replies get discarded, and devices won’t get IP addresses Took long enough.. -
Setting the maximum MAC count to 1 on ports that need two devices.
A laptop + a VoIP phone is a common combo. One‑MAC policies cause unnecessary shutdowns. -
Applying storm‑control only to broadcast traffic.
Multicast storms can be just as destructive. Addstorm-control multicast levelif your environment uses video or IPTV. -
Not backing up the config after sticky MAC learning.
Sticky MACs are stored in the running config, not the startup config, unless you save. A reboot wipes them out.
Practical Tips / What Actually Works
-
Document every “trust” statement. A quick spreadsheet of which ports are trusted for DHCP, DAI, and control‑plane policing saves you from a future “why is this port down?” panic.
-
Use a baseline script. Paste the entire block above into a text file, replace VLAN numbers and IP ranges, then run it with
copy tftp://<server>/baseline.cfg running-config. Consistency beats ad‑hoc tweaks. -
put to work Syslog and SNMP traps. Configure a central log server to capture
PORT_SECURITY-2-PSECURE_VIOLATIONandARP-INSPECT-4-ARPINSPECTevents. Real‑time alerts let you react before a rogue device spreads. -
Test with a “bad” device. Plug a laptop with a spoofed MAC address into an access port and watch the logs. If the port shuts down as expected, you’ve got it right.
-
Schedule a quarterly audit. Run
show port-security addressand compare against an inventory list. Any unknown MACs? Investigate immediately.
FAQ
Q: Do I need to enable both BPDU Guard and BPDU Filter on access ports?
A: BPDU Guard is enough to protect against accidental loops. BPDU Filter can hide the switch from legitimate spanning‑tree negotiations, which is risky. Stick with Guard unless you have a very specific reason Practical, not theoretical..
Q: What’s the difference between “restrict” and “shutdown” for port‑security violations?
A: “Restrict” drops offending frames and logs the event; the port stays up. “Shutdown” puts the port into err‑disable state, requiring manual or timer‑based recovery.
Q: Can I use the same configuration on a stack of switches?
A: Yes, but remember that some commands (like storm-control) are per‑interface. If you push a config to the stack master, it propagates, but verify each member with show running-config.
Q: How does 802.1X fit into the 11.6.4 security model?
A: 802.1X is the gold standard for port authentication, but the module quiz often focuses on “basic” security (port security, DHCP snooping, etc.). If your environment supports it, enable it on top of the baseline for extra assurance Worth keeping that in mind..
Q: My switch says “Feature not enabled” when I try to configure DAI. What now?
A: You’re likely on a license that doesn’t include the “Advanced Security” feature set. Upgrade the IOS image or purchase the appropriate license.
That’s the whole picture. You’ve got the why, the how, the pitfalls, and the real‑world tricks that turn a textbook answer into a network you can actually rely on.
Now go fire up that lab, paste the commands, and watch the quiz question melt away. Good luck, and may your ports stay secure.