đĄī¸ Cisco IOS Layer 2 Security Configuration Guide¶
This guide outlines key Layer 2 security features for Cisco switches running IOS. These features help protect against spoofing, flooding, unauthorized access, and misconfigurations at the access layer.
đ 1. Port Security¶
Restricts access to switch ports based on MAC addresses.
Configuration¶
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security violation restrict
Violation Modes¶
protect: drops unauthorized frames silentlyrestrict: drops and logs violationsshutdown: disables the port (default)
Show Commands¶
đĄ 2. DHCP Snooping¶
Prevents rogue DHCP servers from assigning IP addresses.
Enable Globally¶
Configure Trusted Ports¶
Limit Rate¶
Show Commands¶
đĩī¸ 3. Dynamic ARP Inspection (DAI)¶
Validates ARP packets against DHCP snooping bindings to prevent spoofing.
Enable Globally¶
Configure Trusted Ports¶
Show Commands¶
đ§¯ 4. BPDU Guard¶
Protects against rogue switches by disabling ports that receive BPDUs.
Enable on Access Ports¶
Enable Globally (for PortFast ports)¶
Show Commands¶
đŠī¸ 5. Storm Control¶
Limits broadcast, multicast, or unicast traffic to prevent flooding.
Configure Broadcast Storm Control¶
Show Commands¶
â Best Practices¶
- Use
stickyMACs for persistent port security - Trust only uplink ports for DHCP and ARP
- Enable BPDU Guard on all edge ports
- Monitor violation counters regularly
- Document VLANs, bindings, and trusted ports