Port Security: Helps avoid CAM table flooding and ensures that only specific devices can connect

to certain switch
ports. Common problems include being configured but not enabled, static MACs being wrong, max MACs,
violations blocking legit users, and running config not saved. Sticky MACs are only saved to the running config,
must write config to save across reboots.
if) switchport port-security !!! must be enabled. port must be in access mode!
if) switchport port-security maximum [max #] (vlan) !!! set max macs allowed. per vlan
optional. def = 1.
if) switchport port-security mac-address [(mac) | sticky] !!! mac in dotted triple. if > 1,
increase max.
if) switchport port-security violation [ shutdown | restrict | protect ]
shutdown default. put in “err-disabled” state, must be bounced or err-disable recovery
used.
restrict port stays up, packets from violating macs dropped. switch can send snmp trap
and syslog msg.
protect port stays up, violating macs have packets dropped, but no
notifications/records.
sh port-security !!! shows per port counters and security action.
sh port-security interface [fx/x] !!! lists options and their settings.
sh port-security address !!! lists static macs (and stickys) configured. use to verify if
static is correct.
sh int status !!! will show “err-disabled” ports.
sh errdisable detect !!! see if “psecure-violation” is enabled. it is by default.
config) errdisable recovery cause psecure-violation !!! to enable auto recovery.
sh errdisable recovery !!! to see if recovery is enabled for above. disabled by default.
bottom shows ports.
“%pm-4-err_disable: psecure-violation error detected on [fx/x], putting [fx/x] in err-disable
state”
“%port_security-2-psecure_violation: security violation occurred, caused by mac add [mac]
port [fx/x]”
DHCP Snooping: Prevents rogue DHCP servers. Creates a binding table to keep track of which devices are
connected to which interfaces, based on the IP handed out by the DHCP server.
config) ip dhcp snooping !!! enable globally.
config) ip dhcp snooping vlan [#] !!! additionally enable for specific vlans.
if) ip dhcp snooping trust !!! trust interfaces connected to dhcp servers or uplinks.
if) ip dhcp snooping limit rate [ pkts/sec ] !!! to limit dos attacks on untrusted ports.
optional.
config) no ip dhcp snooping information option !!! disable option 82 if server does not
support it.
sh ip dhcp snooping !!! shows if enabled, on what vlans, if 82 is enabled, trusted
interfaces, rate limit.
sh ip dhcp snooping binding !!! shows binding table of macs and ips, lease, type, vlan, and
interfaces.
Dynamic ARP Inspection: Layer 2. Prevents ARP spoofing (MITM attacks) by using DHCP Snooping’s binding table.
When it detects an invalid ARP request or response incoming on an untrusted interface, it drops the packet and
generates the syslog message “%SW_DAI-4-DHCP_SNOOPING_DENY: 1 invalid ARPs (req) on [fx/x], vlan [x].”
Verify with sh ip arp inspection.
config) ip arp inspection vlan [#] !!! enable dai.
if) ip arp inspection trust !!! interfaces where dai should not be performed. switch uplinks
or static ips.
IP Source Guard: Layer 3. Prevents IP spoofing. Uses DHCP Snooping’s binding table. If a source IP is received on an
incorrect interface, the switch drops the traffic. Exempt static interfaces.
if) ip verify source (port-security) !!! enable. add (ps) to enable checking mac as well;
requires port sec!
sh ip verify source !!! shows interface, filter type, mode, ip, mac, and vlan.
Protected Ports: Denys all traffic from flowing between devices connected to interfaces within the same VLAN, on
the same switch. Protected ports can only communicate with ports that are not protected ports.
 if) switchport protected !!! must be enabled on both ports.
sh int [fx/x] switchport !!! at end, “protected: true/false.”
Private VLANs: Use a single IP subnet (saves IPs) across multiple VLANs while still maintaining traffic isolation
boundaries at L2. Breaks up a single Primary VLAN into multiple non-overlapping Secondary VLANs. VTP v1 & v2
won’t work, use “transparent” mode. Configuration is locally significant; configure on each switch that is
interconnected.
sh int private-vlan mapping !!! interfaces, secondary #, type.
sh vlan private-vlan !!! primary, secondary, type, ports.
sh int [fx/x] switchport !!! admin/operation mode, access mode vlan, host association,
operational pvlan.
Secondary: Can communicate with ports on the Primary VLAN, but not with any other Secondary VLAN. Shares
the same IP subnet as the Primary, but each uses an individually assigned VLAN ID, which is associated with
the Primary VLAN. Trunking Secondary VLANs across trunk links is supported by most switches. Two types:
vlan) private-vlan [ community | isolated ]
Community: Isolates hosts between different Community VLANs while allowing hosts within the same
Community to communicate with one another, as well as the Promiscuous port. Same behavior as a normal
VLAN. Multiple Community VLANs can be created and associated to the same Primary VLAN.
Isolated: Hosts aren’t able to communicate with other Isolated/Community ports, only the Promiscuous port.
Only one Isolated VLAN can be associated per Primary VLAN; multiple hosts are assigned to the same
Isolated VLAN with their traffic separated.
Primary: A normal VLAN used as the basis for a PVLAN, represents the set of Secondary VLANs to the outside
world. 1 per PVLAN, all Secondary’s share the same Primary and broadcast domain.
vlan) private-vlan primary
vlan) private-vlan association [2nd vlan (list | add | remove)]
Promiscuous Ports: Special ports assigned to the Primary VLAN that can communicate with any port within any
(mapped) Secondary VLAN. Allows shared devices (routers, firewalls, printers, or other gateway devices) to
communicate with Secondary VLAN ports, usually connected to the default gateway or an SVI. Assign port as
promiscuous and do vlan mapping.
if) switchport mode private-vlan promiscuous !!! make interface promiscuous and do mapping
below.
if) switchport private-vlan mapping [pri vlan] [2nd vlan ( list | add | remove )]
if) private-vlan mapping [2nd vlan ( list | add | remove )] !!! on primary vlan’s svi.