Press "Enter" to skip to content

Cisco switch security features cheatsheet

Shahriar 0

Cisco switches (running IOS) have plenty of features that are critical to modern networks. Some are Cisco security features that eliminate several important attack vectors on layer 2. This is arguably the most important defense mechanism because ACLs and security mechanisms on software (layer 7) will sometimes fall short protecting the network because of the extreme complexity of communication up in this layer. So the earlier you close the holes the better!

As an example security features likeΒ protected ports can effectively harden lateral movement in windows networks (Active Directory domains), also while being so dead simple compared to more advanced methods implemented on top of active directory itself.

In this post I will give you the commands needed to implement some security features in a Cisco switch in a cheetsheet like manner.

It is important to fully understand what each feature will do, as failing to do so and running the commands blindly may cause disruption in your network. Just look up each one and read about it. πŸ™‚

Reading official Cisco CCNP books is super recommended!

Port Security

These two commands show you port-security stats and make troubleshooting easier:

DHCP Snooping

Related show command:

Dynamic ARP Inspection

Related show command:

IP Source Guard

  • It requires DHCP snooping (or static ip/mac bindings)

Port based:

Creating manual entries:

Related show command:

Protected ports

Ports that cannot communicate with each other directly.

Spanning Tress root guard

STP BPDU Guard:

  • with Spanning tree port-fast

Storm Control


I hope you like this post.

I am looking forward to improving this post using your contributions in a wiki-like manner. so if you think of any other feature which would be nice to be included in this post, please comment or email me and I will add it here. Thanks πŸ™‚

Leave a Reply

Your email address will not be published. Required fields are marked *