Watch first
Security Fundamentals (Day 48)
Video credit: Jeremy's IT Lab
Watch on YouTubePort Security (Day 49)
Video credit: Jeremy's IT Lab
Watch on YouTubePlain-English explanation
Device hardening reduces attack surface — strong passwords, disable unused services, use SSH not Telnet, restrict management access with ACLs, and log to Syslog.
Layer 2 security stops switches from being abused — port security limits which MACs can appear on a port; BPDU Guard shuts access ports that receive BPDUs (someone plugged in a switch); DHCP snooping mitigates rogue DHCP servers.
Deep dive

Port security limits learned MAC addresses on access ports.
Supplementary figure from Panagiss CCNAmd

Out-of-band vs in-band management plane.
Supplementary figure from Panagiss CCNAmd
Additional topic reference
Management hardening checklist:
service password-encryption- Local user +
login localor AAA transport input sshon VTY linesbanner motdlegal notice- Disable unused ports (
shutdown) and put in unused VLAN
Port security modes:
| Violation mode | Behavior | |----------------|----------| | Protect | Drop violating traffic, no shutdown | | Restrict | Drop + increment counter + SNMP trap | | Shutdown | Err-disable port (common lab default) |
AAA overview: Authentication (who), Authorization (what), Accounting (log) — TACACS+ for admin, RADIUS for 802.1X common in enterprise.
Step-by-step — port security on access port
interface GigabitEthernet0/5
switchport mode access
switchport access vlan 20
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation shutdown
Connect one PC — sticky learns MAC. Second unauthorized device triggers err-disable.
Recover: shutdown then no shutdown after fixing cause.
Commands to know
hostname SW1 ip domain-name lab.local crypto key generate rsa modulus 2048 ! line vty 0 15 transport input ssh login local
show port-security show port-security interface GigabitEthernet0/5 show errdisable recovery
Troubleshooting
| Issue | Check |
|-------|-------|
| Port err-disabled | show port-security — violation; show interfaces status err-disabled |
| Cannot SSH | Keys missing, VTY ACL, wrong version |
| DHCP random clients | Rogue server — DHCP snooping + trusted uplink |
| Unexpected STP topology | BPDU filter/guard misapplied |
Document errdisable recovery policy — auto-recovery vs manual fix.
Exam relevance
Port security applies to access ports, not typical trunk uplinks — putting BPDU Guard on access ports prevents user switch loops.
sticky learns and writes MAC to running config — survives reload if saved.
Practice checklist
- Configure SSH-only VTY access on lab router
- Enable port security with sticky MAC on one port
- Explain BPDU Guard vs Root Guard purpose difference
- List three hardening steps beyond passwords
- Recover an err-disabled port correctly
Which port security violation mode shuts down the port?
Which protocol should replace Telnet for encrypted management?