11.6.4 Module Quiz - Switch Security Configuration: Exact Answer & Steps

9 min read

Ever tried to crack open a switch’s security settings only to find yourself staring at a wall of commands you don’t even recognize?
That moment when the “module quiz – 11.6.4” pops up on your screen and you realize the exam is testing more than just rote memorization. It’s testing whether you actually know how to lock down a switch so the network stays safe, even when the unexpected happens Most people skip this — try not to. Turns out it matters..

Below is the guide that pulls together everything you need to ace that quiz and, more importantly, to walk away with a configuration you can trust in the real world.


What Is the 11.6.4 Module Quiz – Switch Security Configuration?

In plain English, the “11.6.4 module quiz” is a checkpoint in many networking certification tracks (think CCNA, CCNP, or vendor‑specific curricula) that zeroes in on switch security. The number isn’t random—it maps to the chapter in the official textbook where the author walks through securing a layer‑2 device And it works..

So when the exam asks you to “configure switch security,” it isn’t just looking for a single command. It wants you to demonstrate a holistic approach: port security, VLAN hardening, control‑plane policing, and a few hidden gems that keep rogue devices from taking over the LAN.

Think of it like a kitchen safety test. You could just remember to turn off the stove, but the instructor really wants to see you lock the gas valve, wear gloves, and keep a fire extinguisher handy. Same idea here—multiple layers, each covering a different threat vector That's the part that actually makes a difference..


Why It Matters / Why People Care

Network breaches start at the edge. A single compromised switch port can give an attacker a foothold, let them sniff traffic, or even launch a man‑in‑the‑middle attack across the entire campus Most people skip this — try not to. Still holds up..

Real‑world example: In 2022 a major university suffered a data leak because an unsecured switch port in a dorm allowed a student to plug in a rogue device. The breach went unnoticed for weeks, and sensitive research data was exfiltrated.

If you understand the security knobs covered in 11.6.4, you can:

  • Stop unauthorized devices from gaining network access.
  • Contain VLAN hopping attempts that try to jump across logical boundaries.
  • Protect the control plane from DoS attacks that could bring the whole switch down.

In practice, the difference between a “good enough” configuration and a truly hardened one is the gap between a network that stays online during a targeted attack and one that crashes under a simple mis‑plug But it adds up..


How It Works (or How to Do It)

Below is the step‑by‑step playbook you’ll use on a Cisco IOS switch. The concepts translate to other vendors, but the command syntax is Cisco‑centric because that’s what most 11.6.4 labs use That's the whole idea..

1. Secure the Management Plane

Before you even touch the data ports, lock down how you get into the switch.

! Enable local authentication
username admin secret StrongP@ssw0rd

! Use AAA for centralized control (RADIUS/TACACS+)
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local

 Restrict VTY access to trusted IPs
line vty 0 4
 transport input ssh
 access-class 10 in
!
Now, ip access-list standard 10
 permit 192. In real terms, 168. Plus, 10. On the flip side, 0 0. 0.0.

*Why this matters:* If an attacker can telnet in, everything else is moot. SSH + AAA + ACLs give you a solid first line.

### 2. Harden the Control Plane

The control plane is the brain of the switch. Unchecked traffic can flood it and make the device unresponsive.

```bash
! Create a class-map for control‑plane traffic
class-map match-any CP-TRAFFIC
 match protocol bgp
 match protocol ospf
 match access-group name CP-ACL

! Define a police policy (rate‑limit to 10 Mbps, burst 2 MB)
policy-map CP-POLICY
 class CP-TRAFFIC
  police 10000000 2000000 conform-action transmit exceed-action drop

! Apply to the control plane
control-plane
 service-policy input CP-POLICY

Real talk: Most people skip this step because they think “the control plane only talks to routers.” Wrong. A rogue host can flood CDP, LLDP, or even ARP and bring the switch to its knees.

3. Enable Port Security

Port security is the bread‑and‑butter of 11.6.So 4. It limits how many MAC addresses can appear on a port and what happens when the limit is exceeded That's the part that actually makes a difference..

interface range GigabitEthernet1/0/1-24
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree bpdufilter enable
!
! Enable port security
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation restrict
!
! Optional: set a static MAC for critical devices
switchport port-security mac-address 00AA.BBCC.DDEE

Key points:

  • Maximum 2 lets you accommodate a laptop + a phone but blocks a third device.
  • Sticky MAC writes the learned address to the running config, so it survives a reboot.
  • Violation restrict drops offending frames but still logs the event—useful for forensic follow‑up.

4. Harden VLANs and Trunk Ports

A lot of attacks happen by slipping onto a trunk and sniffing all VLANs.

! Disable unused VLANs
vlan 100
 name UNUSED_VLAN
 shutdown

! Secure trunk ports
interface GigabitEthernet1/0/25
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
! Enable DTP pruning (if supported)
switchport trunk pruning vlan 10,20,30

Why you care: By explicitly listing allowed VLANs, you prevent a rogue device from advertising a VLAN that doesn’t exist on the core.

5. Deploy DHCP Snooping & Dynamic ARP Inspection (DAI)

If you run DHCP on the LAN, these two features stop a malicious host from handing out fake IPs or ARP replies.

! DHCP snooping
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
interface range GigabitEthernet1/0/1-24
 ip dhcp snooping limit rate 100
interface GigabitEthernet1/0/25
 ip dhcp snooping trust

! DAI
ip arp inspection vlan 10,20,30
interface range GigabitEthernet1/0/1-24
 ip arp inspection limit rate 50
interface GigabitEthernet1/0/25
 ip arp inspection trust

Turns out a simple ARP spoof can let an attacker hijack traffic from an entire floor. DAI catches that before it spreads.

6. Enable Storm Control

Broadcast storms can cripple a switch in seconds The details matter here..

interface range GigabitEthernet1/0/1-24
 storm-control broadcast level 30.00 40.00
 storm-control action shutdown

What most people miss: The “shutdown” action actually disables the port when the threshold is crossed, preventing the storm from propagating.

7. Save and Verify

Never assume your changes are live That's the part that actually makes a difference..

write memory
show running-config | include security
show port-security interface GigabitEthernet1/0/1
show control-plane police
show ip dhcp snooping
show arp inspection

If any of those commands return “no such command,” you’re probably on an older IOS that needs a feature license. That’s a whole other rabbit hole, but worth noting It's one of those things that adds up..


Common Mistakes / What Most People Get Wrong

  1. Leaving VTP or CDP enabled on edge ports.
    Those protocols broadcast topology info that a rogue device can harvest. Turn them off with no cdp enable and no vtp enable on access ports.

  2. Using “protect” instead of “restrict” for port‑security violations.
    “Protect” silently drops frames and never logs. “Restrict” drops and logs, giving you an audit trail.

  3. Forgetting to trust the uplink on DHCP snooping/DAI.
    If the uplink isn’t trusted, legitimate DHCP replies get discarded, and devices won’t get IP addresses Took long enough..

  4. Setting the maximum MAC count to 1 on ports that need two devices.
    A laptop + a VoIP phone is a common combo. One‑MAC policies cause unnecessary shutdowns.

  5. Applying storm‑control only to broadcast traffic.
    Multicast storms can be just as destructive. Add storm-control multicast level if your environment uses video or IPTV.

  6. Not backing up the config after sticky MAC learning.
    Sticky MACs are stored in the running config, not the startup config, unless you save. A reboot wipes them out.


Practical Tips / What Actually Works

  • Document every “trust” statement. A quick spreadsheet of which ports are trusted for DHCP, DAI, and control‑plane policing saves you from a future “why is this port down?” panic.

  • Use a baseline script. Paste the entire block above into a text file, replace VLAN numbers and IP ranges, then run it with copy tftp://<server>/baseline.cfg running-config. Consistency beats ad‑hoc tweaks.

  • put to work Syslog and SNMP traps. Configure a central log server to capture PORT_SECURITY-2-PSECURE_VIOLATION and ARP-INSPECT-4-ARPINSPECT events. Real‑time alerts let you react before a rogue device spreads.

  • Test with a “bad” device. Plug a laptop with a spoofed MAC address into an access port and watch the logs. If the port shuts down as expected, you’ve got it right.

  • Schedule a quarterly audit. Run show port-security address and compare against an inventory list. Any unknown MACs? Investigate immediately.


FAQ

Q: Do I need to enable both BPDU Guard and BPDU Filter on access ports?
A: BPDU Guard is enough to protect against accidental loops. BPDU Filter can hide the switch from legitimate spanning‑tree negotiations, which is risky. Stick with Guard unless you have a very specific reason Practical, not theoretical..

Q: What’s the difference between “restrict” and “shutdown” for port‑security violations?
A: “Restrict” drops offending frames and logs the event; the port stays up. “Shutdown” puts the port into err‑disable state, requiring manual or timer‑based recovery.

Q: Can I use the same configuration on a stack of switches?
A: Yes, but remember that some commands (like storm-control) are per‑interface. If you push a config to the stack master, it propagates, but verify each member with show running-config.

Q: How does 802.1X fit into the 11.6.4 security model?
A: 802.1X is the gold standard for port authentication, but the module quiz often focuses on “basic” security (port security, DHCP snooping, etc.). If your environment supports it, enable it on top of the baseline for extra assurance Worth keeping that in mind..

Q: My switch says “Feature not enabled” when I try to configure DAI. What now?
A: You’re likely on a license that doesn’t include the “Advanced Security” feature set. Upgrade the IOS image or purchase the appropriate license.


That’s the whole picture. You’ve got the why, the how, the pitfalls, and the real‑world tricks that turn a textbook answer into a network you can actually rely on.

Now go fire up that lab, paste the commands, and watch the quiz question melt away. Good luck, and may your ports stay secure.

More to Read

The Latest

Picked for You

What Goes Well With This

Thank you for reading about 11.6.4 Module Quiz - Switch Security Configuration: Exact Answer & Steps. We hope the information has been useful. Feel free to contact us if you have any questions. See you next time — don't forget to bookmark!
⌂ Back to Home