Cisco IOS Layer 2 security cheat sheet: Port Security, Storm Control, DHCP Snooping, IP Source Guard, Dynamic ARP Inspection, and PoE. These features protect the switched network from MAC flooding, DHCP starvation, ARP spoofing, and unauthorized devices.
Port Security
Limits the number of MAC addresses allowed on a port and takes action when the limit is exceeded.
Port Security Configuration
| Command | Description |
|---|---|
| switchport mode access | Port must be in access mode for port-security |
| switchport port-security | Enable port-security on interface |
| switchport port-security maximum 5 | Allow up to 5 MAC addresses (default: 1) |
| switchport port-security mac-address sticky | Learn MAC addresses dynamically and keep them on reload |
| switchport port-security violation shutdown | Shut port when limit exceeded (default action; other: protect, restrict) |
| switchport port-security aging time 2 | Auto-remove dynamically learned MACs after 2 minutes |
| switchport port-security aging type absolute | Remove MAC after aging time regardless of activity |
| switchport port-security aging type inactivity | Remove MAC only if inactive for aging time |
| mls rate-limit layer2 port-security 100 10 | Rate-limit frames from attacker in protect/restrict mode |
| errdisable recovery cause psecure-violation | Auto-recover ports shut by port-security violation |
| clear port-security sticky | Clear learned sticky MAC addresses |
IP phone + PC on the same port:
Voice + Data VLAN with Port Security
| Command | Description |
|---|---|
| switchport port-security maximum 1 vlan access | Allow 1 MAC in the data VLAN (for PC) |
| switchport port-security maximum 1 vlan voice | Allow 1 MAC in the voice VLAN (for IP phone) |
| switchport port-security mac-address <mac> vlan voice | Statically allow the phone's MAC in voice VLAN |
| switchport port-security mac-address <mac> vlan access | Statically allow the PC's MAC in data VLAN |
Port Security Diagnostics
| Command | Description |
|---|---|
| show port-security | Global port-security status |
| show port-security int fa0/1 | Per-interface port-security status |
| show port-security address | MAC addresses protected by port-security |
Storm Control
Limit broadcast, multicast, or unicast flooding on a port.
Storm Control Configuration
| Command | Description |
|---|---|
| storm-control broadcast level 50 30 | Rising threshold 50%, falling 30% for broadcast |
| storm-control multicast level pps 30k 20k | Multicast limit: 30k pps rising, 20k falling |
| storm-control unicast level bps 30m | Unicast limit: 30 Mbps |
| storm-control action shutdown | Shut port when threshold exceeded (alt: trap) |
| show storm-control [broadcast|multicast|unicast] | Storm control statistics |
DHCP Snooping
Validates DHCP messages by distinguishing trusted (server-side) and untrusted (client-side) ports. Also builds the binding table used by IP Source Guard and DAI.
DHCP Snooping Configuration
| Command | Description |
|---|---|
| ip dhcp snooping | Enable DHCP snooping globally |
| ip dhcp snooping vlan 1 | Enable for VLAN 1 (configure per each VLAN) |
| ip dhcp snooping trust | Mark interface as trusted (uplink to DHCP server) |
| ip dhcp snooping limit rate 10 | Max 10 DHCP requests/second per port (anti-starvation) |
| no ip dhcp snooping verify mac-address | Disable MAC verification check (enabled by default) |
| ip dhcp relay information trusted | Trust DHCP relay info on SVI (for external DHCP servers) |
| ip dhcp relay information trust-all | Trust relay info on all SVIs |
| ip dhcp snooping binding <mac> vlan <id> <ip> interface <if> expiry <sec> | Add static entry to DHCP snooping binding table |
DHCP Snooping Diagnostics
| Command | Description |
|---|---|
| show ip dhcp snooping | Snooping settings and trusted ports |
| show ip dhcp snooping binding | IP–MAC–VLAN–interface binding table |
| show ip dhcp snooping statistics | Drop/forward counters |
IP Source Guard
Prevents IP spoofing by verifying source IPs against the DHCP Snooping binding table.
Requires DHCP Snooping to be enabled first.
IP Source Guard Configuration
| Command | Description |
|---|---|
| ip verify source vlan dhcp-snooping | Enable IP Source Guard on interface |
| ip source binding 00:E0:F7:EC:D0:10 vlan 1 192.168.1.1 interface fa0/4 | Manual binding for devices with static IPs (not in DHCP snooping table) |
| show ip verify source | IP Source Guard status per interface |
| show ip source binding | Manual IP–MAC binding entries |
Dynamic ARP Inspection (DAI)
Validates ARP packets against the DHCP Snooping binding table to prevent ARP spoofing / man-in-the-middle attacks.
Requires DHCP Snooping to be enabled first.
DAI Configuration
| Command | Description |
|---|---|
| ip arp inspection vlan 1 | Enable DAI for VLAN 1 (configure per each VLAN) |
| ip arp inspection trust | Mark interface as trusted (uplinks between switches) |
| ip arp inspection limit rate 2 | Max 2 ARP requests/second on interface |
| errdisable recovery cause arp-inspection interval 600 | Auto-recover DAI-blocked ports after 600 s |
Static ARP ACL for devices with static IPs (e.g., default gateway):
ARP ACL for Static Devices
| Command | Description |
|---|---|
| arp access-list ARP-EXCEPTIONS | Create ARP ACL |
| permit ip host 192.168.1.1 mac host 00:E0:F7:EC:D0:10 | Bind gateway IP to its real MAC — rejects ARP spoofing attempts |
| ip arp inspection filter ARP-EXCEPTIONS vlan 1 | Apply ARP ACL to VLAN |
| show ip arp inspection | DAI status and counters |
| show ip arp inspection interface | Which interfaces have DAI enabled |
PoE — Power over Ethernet
PoE IEEE Classes
| Class | Max PSE output | Note |
|---|---|---|
| Class 0 | 15.4 W | Default class (unclassified devices) |
| Class 1 | 4 W | Optional — low-power devices |
| Class 2 | 7 W | Optional |
| Class 3 | 15.4 W | Optional — standard 802.3af devices |
| Class 4 | 51 W | 802.3at (PoE+) only — not available on 802.3af switches |
PoE Configuration
| Command | Description |
|---|---|
| power inline auto | Auto-detect and power connected PD device |
| power inline never | Disable PoE on interface |
| power inline auto max <milli-watts> | Enable PoE with max wattage cap |
| show power inline | PoE status and remaining wattage per port |
Err-Disabled Recovery
Err-Disabled Port Recovery
| Command | Description |
|---|---|
| errdisable recovery cause all | Auto-recover ports for all err-disable causes |
| errdisable recovery interval 300 | Recovery timer (default: 300 s) |
| show interface fa0/1 status | Check if port is in err-disabled state |
| show errdisable recovery | Recovery timers per cause |
| show errdisable detect | Causes that can trigger err-disabled |
To manually recover: resolve the root cause →
shutdown→no shutdown.
Cisco IOS Command Reference | Switch Security