Must Read

11.6.4 Module Quiz - Switch Security Configuration: Exact Answer & Steps

9 min read
11.6.4 Module Quiz - Switch Security Configuration: Exact Answer & Steps
11.6.4 Module Quiz - Switch Security Configuration: Exact Answer & Steps

Ever tried to crack open a switch’s security settings only to find yourself staring at a wall of commands you don’t even recognize?
That moment when the “module quiz – 11.6.4” pops up on your screen and you realize the exam is testing more than just rote memorization. It’s testing whether you actually know how to lock down a switch so the network stays safe, even when the unexpected happens.

Below is the guide that pulls together everything you need to ace that quiz and, more importantly, to walk away with a configuration you can trust in the real world.

What Is the 11.6.4 Module Quiz – Switch Security Configuration?

In plain English, the “11.Think about it: 6. Even so, 4 module quiz” is a checkpoint in many networking certification tracks (think CCNA, CCNP, or vendor‑specific curricula) that zeroes in on switch security. The number isn’t random—it maps to the chapter in the official textbook where the author walks through securing a layer‑2 device No workaround needed..

So when the exam asks you to “configure switch security,” it isn’t just looking for a single command. It wants you to demonstrate a holistic approach: port security, VLAN hardening, control‑plane policing, and a few hidden gems that keep rogue devices from taking over the LAN That's the part that actually makes a difference..

Think of it like a kitchen safety test. Even so, you could just remember to turn off the stove, but the instructor really wants to see you lock the gas valve, wear gloves, and keep a fire extinguisher handy. Same idea here—multiple layers, each covering a different threat vector Simple as that..

Why It Matters / Why People Care

Network breaches start at the edge. A single compromised switch port can give an attacker a foothold, let them sniff traffic, or even launch a man‑in‑the‑middle attack across the entire campus.

Real‑world example: In 2022 a major university suffered a data leak because an unsecured switch port in a dorm allowed a student to plug in a rogue device. The breach went unnoticed for weeks, and sensitive research data was exfiltrated.

If you understand the security knobs covered in 11.6.4, you can:

  • Stop unauthorized devices from gaining network access.
  • Contain VLAN hopping attempts that try to jump across logical boundaries.
  • Protect the control plane from DoS attacks that could bring the whole switch down.

In practice, the difference between a “good enough” configuration and a truly hardened one is the gap between a network that stays online during a targeted attack and one that crashes under a simple mis‑plug Easy to understand, harder to ignore..

How It Works (or How to Do It)

Below is the step‑by‑step playbook you’ll use on a Cisco IOS switch. The concepts translate to other vendors, but the command syntax is Cisco‑centric because that’s what most 11.Day to day, 6. 4 labs use.

1. Secure the Management Plane

Before you even touch the data ports, lock down how you get into the switch.

! Enable local authentication
username admin secret StrongP@ssw0rd

! Use AAA for centralized control (RADIUS/TACACS+)
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local

 Restrict VTY access to trusted IPs
line vty 0 4
 transport input ssh
 access-class 10 in
!
168.Day to day, 0 0. Still, 0. 10.ip access-list standard 10
 permit 192.0.

*Why this matters:* If an attacker can telnet in, everything else is moot. SSH + AAA + ACLs give you a solid first line.

### 2. Harden the Control Plane

The control plane is the brain of the switch. Unchecked traffic can flood it and make the device unresponsive.

```bash
! Create a class-map for control‑plane traffic
class-map match-any CP-TRAFFIC
 match protocol bgp
 match protocol ospf
 match access-group name CP-ACL

! Define a police policy (rate‑limit to 10 Mbps, burst 2 MB)
policy-map CP-POLICY
 class CP-TRAFFIC
  police 10000000 2000000 conform-action transmit exceed-action drop

! Apply to the control plane
control-plane
 service-policy input CP-POLICY

Real talk: Most people skip this step because they think “the control plane only talks to routers.” Wrong. A rogue host can flood CDP, LLDP, or even ARP and bring the switch to its knees Which is the point..

3. Enable Port Security

Port security is the bread‑and‑butter of 11.Because of that, 4. Day to day, 6. It limits how many MAC addresses can appear on a port and what happens when the limit is exceeded Most people skip this — try not to..

interface range GigabitEthernet1/0/1-24
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree bpdufilter enable
!
! Enable port security
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation restrict
!
! Optional: set a static MAC for critical devices
switchport port-security mac-address 00AA.BBCC.DDEE

Key points:

  • Maximum 2 lets you accommodate a laptop + a phone but blocks a third device.
  • Sticky MAC writes the learned address to the running config, so it survives a reboot.
  • Violation restrict drops offending frames but still logs the event—useful for forensic follow‑up.

4. Harden VLANs and Trunk Ports

A lot of attacks happen by slipping onto a trunk and sniffing all VLANs.

! Disable unused VLANs
vlan 100
 name UNUSED_VLAN
 shutdown

! Secure trunk ports
interface GigabitEthernet1/0/25
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
! Enable DTP pruning (if supported)
switchport trunk pruning vlan 10,20,30

Why you care: By explicitly listing allowed VLANs, you prevent a rogue device from advertising a VLAN that doesn’t exist on the core Worth keeping that in mind..

5. Deploy DHCP Snooping & Dynamic ARP Inspection (DAI)

If you run DHCP on the LAN, these two features stop a malicious host from handing out fake IPs or ARP replies.

! DHCP snooping
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
interface range GigabitEthernet1/0/1-24
 ip dhcp snooping limit rate 100
interface GigabitEthernet1/0/25
 ip dhcp snooping trust

! DAI
ip arp inspection vlan 10,20,30
interface range GigabitEthernet1/0/1-24
 ip arp inspection limit rate 50
interface GigabitEthernet1/0/25
 ip arp inspection trust

Turns out a simple ARP spoof can let an attacker hijack traffic from an entire floor. DAI catches that before it spreads.

6. Enable Storm Control

Broadcast storms can cripple a switch in seconds.

interface range GigabitEthernet1/0/1-24
 storm-control broadcast level 30.00 40.00
 storm-control action shutdown

What most people miss: The “shutdown” action actually disables the port when the threshold is crossed, preventing the storm from propagating Less friction, more output..

7. Save and Verify

Never assume your changes are live.

write memory
show running-config | include security
show port-security interface GigabitEthernet1/0/1
show control-plane police
show ip dhcp snooping
show arp inspection

If any of those commands return “no such command,” you’re probably on an older IOS that needs a feature license. That’s a whole other rabbit hole, but worth noting.

Common Mistakes / What Most People Get Wrong

  1. Leaving VTP or CDP enabled on edge ports.
    Those protocols broadcast topology info that a rogue device can harvest. Turn them off with no cdp enable and no vtp enable on access ports Worth knowing..

  2. Using “protect” instead of “restrict” for port‑security violations.
    “Protect” silently drops frames and never logs. “Restrict” drops and logs, giving you an audit trail Less friction, more output..

  3. Forgetting to trust the uplink on DHCP snooping/DAI.
    If the uplink isn’t trusted, legitimate DHCP replies get discarded, and devices won’t get IP addresses Simple, but easy to overlook..

  4. Setting the maximum MAC count to 1 on ports that need two devices.
    A laptop + a VoIP phone is a common combo. One‑MAC policies cause unnecessary shutdowns Practical, not theoretical..

  5. Applying storm‑control only to broadcast traffic.
    Multicast storms can be just as destructive. Add storm-control multicast level if your environment uses video or IPTV Not complicated — just consistent. And it works..

  6. Not backing up the config after sticky MAC learning.
    Sticky MACs are stored in the running config, not the startup config, unless you save. A reboot wipes them out.

Practical Tips / What Actually Works

  • Document every “trust” statement. A quick spreadsheet of which ports are trusted for DHCP, DAI, and control‑plane policing saves you from a future “why is this port down?” panic.

  • Use a baseline script. Paste the entire block above into a text file, replace VLAN numbers and IP ranges, then run it with copy tftp://<server>/baseline.cfg running-config. Consistency beats ad‑hoc tweaks.

  • take advantage of Syslog and SNMP traps. Configure a central log server to capture PORT_SECURITY-2-PSECURE_VIOLATION and ARP-INSPECT-4-ARPINSPECT events. Real‑time alerts let you react before a rogue device spreads.

  • Test with a “bad” device. Plug a laptop with a spoofed MAC address into an access port and watch the logs. If the port shuts down as expected, you’ve got it right Easy to understand, harder to ignore..

  • Schedule a quarterly audit. Run show port-security address and compare against an inventory list. Any unknown MACs? Investigate immediately.

FAQ

Q: Do I need to enable both BPDU Guard and BPDU Filter on access ports?
A: BPDU Guard is enough to protect against accidental loops. BPDU Filter can hide the switch from legitimate spanning‑tree negotiations, which is risky. Stick with Guard unless you have a very specific reason Worth keeping that in mind. Nothing fancy..

Q: What’s the difference between “restrict” and “shutdown” for port‑security violations?
A: “Restrict” drops offending frames and logs the event; the port stays up. “Shutdown” puts the port into err‑disable state, requiring manual or timer‑based recovery Nothing fancy..

Q: Can I use the same configuration on a stack of switches?
A: Yes, but remember that some commands (like storm-control) are per‑interface. If you push a config to the stack master, it propagates, but verify each member with show running-config Took long enough..

Q: How does 802.1X fit into the 11.6.4 security model?
A: 802.1X is the gold standard for port authentication, but the module quiz often focuses on “basic” security (port security, DHCP snooping, etc.). If your environment supports it, enable it on top of the baseline for extra assurance.

Q: My switch says “Feature not enabled” when I try to configure DAI. What now?
A: You’re likely on a license that doesn’t include the “Advanced Security” feature set. Upgrade the IOS image or purchase the appropriate license It's one of those things that adds up..

That’s the whole picture. You’ve got the why, the how, the pitfalls, and the real‑world tricks that turn a textbook answer into a network you can actually rely on Most people skip this — try not to..

Now go fire up that lab, paste the commands, and watch the quiz question melt away. Good luck, and may your ports stay secure.

Brand New

New Stories

Fresh Off the Press

Related Corners

Before You Head Out

Thank you for reading about 11.6.4 Module Quiz - Switch Security Configuration: Exact Answer & Steps. We hope the information has been useful. Feel free to contact us if you have any questions. See you next time — don't forget to bookmark!
⌂ Back to Home