The network edge (where users plug in) is the most vulnerable point. Port security mechanisms bind physical switch ports to specific MAC addresses or require cryptographic authentication, preventing rogue devices and unauthorized access.
Port security limits the number of MAC addresses allowed on a port. 'Sticky MAC' dynamically learns the first connected device's MAC and converts it to a static configuration, locking out any subsequent unauthorized devices.
💡 Pro-tip: Configure the violation mode to restrict or shutdown. protect drops packets but doesn't alert or log the violation, leaving you blind to physical intrusion attempts.
This locks the port to a single device. If an unauthorized laptop or rogue switch is plugged in, the port immediately err-disables (shuts down).
MAC addresses are trivial to spoof. 802.1X (Network Access Control) requires the endpoint to authenticate via EAP (e.g., certificates or Active Directory credentials) before the switch enables the port for data traffic.
⚠️ Deploying 802.1X without a robust Public Key Infrastructure (PKI) or fallback mechanism (like MAC Authentication Bypass for printers) will cause massive outages for headless IoT devices.
| Method | Security | Complexity |
|---|---|---|
| MAC Limit | Low (Spoofable) | Low |
| Sticky MAC | Medium | Low |
| 802.1X | High (Crypto) | High (Requires RADIUS) |
Verify exercises to earn ★ 210 XP and unlock next lab level.