Unused Interface Shutdown

Lab Objectives

• Learn how to securely disable unused interfaces on access switches to reduce attack surface.
• Place unused ports into an unused VLAN to isolate accidental connections.
• Configure basic port-security on user access ports so only the attached device can use the port.

Tip: In production, disabling unused ports and placing them into an unused VLAN greatly reduces the chance an unauthorized device gets network access. Port-security enforces device-level access and helps detect MAC-based spoofing.

Base Topology (use this exact topology for the lab — IPs on every router interface are shown)

                [Internet]
               203.0.113.1
                    |
               R1 (Gateway)
              Gi0/0: 10.10.10.1
              Gi0/1: 10.10.20.1
              Gi0/2: 10.10.30.1
              /     |     \
           R2      R3      R4

Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2 Gi0/1: 10.10.40.1 | / \ | S1 S2 S3 / \ | /
PC1 PC2 PC3 PC4 PC5

Lab Tasks (Try It Yourself First!)

Complete these tasks WITHOUT looking at the solution below. Use ? and show commands to figure it out.

Task 1: Disable unused interfaces on S1

Identify the switch ports on S1 that are not connected to PC1 or PC2 and administratively shut them down. Leave the PC-facing ports enabled.

Parameters (do NOT show commands here):

• Use an interface-range to shut down all unused ports.
• Confirm the ports are administratively down.

Task 2: Put unused ports into an unused VLAN

Create VLAN 99 as the "unused VLAN" and assign the shut ports into VLAN 99 as access ports.

Parameters:

• Create VLAN 99 in the VLAN database.
• Configure the same interface-range as Task 1 to be access ports in VLAN 99.

Task 3: Configure port-security on access ports (PC-facing)

On S1, configure the PC-facing access ports so each learns and locks the MAC address of the attached PC.

Parameters:

• PC1 and PC2 live in VLAN 10 (Sales — 192.168.1.0/24).
• Configure port-security to allow 1 MAC, enable sticky learning, and use the default violation action (shutdown).
• Ensure the ports are not shutdown.

Think About It: If a user moves a laptop from PC1's port to an unused port that has been assigned to VLAN 99 and administratively shut, what two security benefits are achieved immediately? Why does assigning unused ports to VLAN 99 matter beyond just shutting them?

---

Lab Solution

Task 1 Solution: Disable unused interfaces on S1

What we are doing: We will administratively disable all ports on S1 that are not in use (not connected to PC1/PC2). This prevents accidental or malicious devices from immediately gaining network access.

! Enter global configuration on S1
configure terminal
! Create interface range for unused ports (example: E0/3 through E0/24)
interface range E0/3 -24
 shutdown
exit

What just happened:

• interface range E0/3 -24 — selects multiple interfaces so we can configure them all at once (saves time).
• shutdown — administratively disables the interfaces so they cannot pass traffic. This reduces the attack surface.

Verify:

show interfaces status

Expected output (excerpt):

Port      Name       Status       Vlan      Duplex  Speed Type
E0/1                  connected    10        a-full  a-100  10/100BaseTX
E0/2                  connected    10        a-full  a-100  10/100BaseTX
E0/3                  disabled     99        auto    auto   10/100BaseTX
E0/4                  disabled     99        auto    auto   10/100BaseTX
...
E0/24                 disabled     99        auto    auto   10/100BaseTX

The Status column shows disabled for shutdown interfaces.

---

Task 2 Solution: Put unused ports into VLAN 99

What we are doing: We create VLAN 99 (the unused VLAN) and move the administratively down ports into that VLAN. Placing unused ports in a single, unused VLAN avoids accidental bridging into production VLANs if a port is re-enabled without proper provisioning.

configure terminal
vlan 99
 exit
interface range E0/3 -24
 switchport mode access
 switchport access vlan 99
 shutdown
exit

What just happened:

• vlan 99 — creates VLAN 99 in the VLAN database. This gives the switch a dedicated VLAN for unused ports.
• interface range E0/3 -24 — re-selects the same port range.
• switchport mode access — ensures these are access ports (not trunks).
• switchport access vlan 99 — places the ports into VLAN 99.
• shutdown — confirms they remain administratively disabled.

Verify:

show vlan id 99

Expected output:

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
99   VLAN0099                          active    E0/3, E0/4, E0/5, ..., E0/24

Also:

show running-config interface E0/3

Expected output (excerpt):

interface E0/3
 switchport mode access
 switchport access vlan 99
 shutdown

---

Task 3 Solution: Configure port-security on access ports (PC-facing)

What we are doing: Configure PC-facing ports (E0/1 and E0/2) as access ports in VLAN 10 and enable port-security so each port will learn and lock the MAC address of the device connected. We use sticky MAC so the learned MAC becomes part of running config (survives brief reboots when saved).

configure terminal
interface range E0/1 -2
 switchport mode access
 switchport access vlan 10
 switchport port-security
 switchport port-security maximum 1
 switchport port-security mac-address sticky
 switchport port-security violation shutdown
 no shutdown
exit

What just happened (command-by-command):

• interface range E0/1 -2 — targets both PC-facing ports at once.
• switchport mode access — forces these ports into access mode (they carry a single VLAN).
• switchport access vlan 10 — places the ports in VLAN 10 (Sales).
• switchport port-security — enables port-security on the interface (core enforcement feature).
• switchport port-security maximum 1 — restricts the port to a single MAC address.
• switchport port-security mac-address sticky — the port learns the MAC and makes it sticky (added to running-config).
• switchport port-security violation shutdown — sets the violation action to shut the interface if an unauthorized MAC is seen.
• no shutdown — ensures ports are administratively up so PCs can connect.

Verify:

show port-security interface E0/1

Expected output (example):

Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0001.0001.aaaa.10
Security Violation Count   : 0

To see all port-security entries:

show port-security

Expected summary (excerpt):

Port    SecureAddr    Max  Current  SecurityViolation
E0/1    0001.0001.aaaa 1    1        0
E0/2    0001.0001.bbbb 1    1        0

Real-world context: Enabling sticky MACs simplifies operations — when a new authorized laptop attaches, the switch learns the MAC and binds it to the port. In production this is commonly used on desktop ports; wireless or roaming devices use different controls.

---

Troubleshooting Scenario

Scenario: PC2 cannot reach the VLAN 10 gateway (ping to 192.168.1.1 fails)

Symptom: PC2 has link light, but cannot ping the gateway. PC1 can ping gateway fine.

Your task: Find and fix the issue.

Hint: Port-security shows PC2 learned a different VLAN or the port is in the wrong VLAN.

Solution:

• Check port configuration:

show running-config interface E0/2

• If the output shows switchport access vlan 99 then the port was accidentally placed into the unused VLAN. Reconfigure:

configure terminal
interface E0/2
 switchport access vlan 10
 no shutdown
exit

• Verify with show interfaces status and show port-security interface E0/2. The PC should now have correct VLAN and port-security entry.

---

Verification Checklist

• Unused ports on S1 are administratively down.
• Unused ports are assigned to VLAN 99.
• PC-facing ports are access ports in VLAN 10.
• Port-security is enabled with maximum 1 MAC and sticky addresses.
• No security violation counters are incremented.

Common Mistakes

Symptom	Cause	Fix
PC cannot reach gateway but link is up	Port assigned to VLAN 99 instead of VLAN 10	Reassign port to VLAN 10: switchport access vlan 10
Port-security shows 0 MACs learned	Ports are shutdown	no shutdown on the interface
Port goes err-disabled immediately after connecting a second device	switchport port-security maximum 1 and violation=shutdown	Either remove the extra device, increase maximum, or clear the secure MAC entry; then shutdown/no shutdown to reset

Warning: When port-security violation mode is shutdown, the interface becomes err-disabled on violation and must be manually recovered (or via errdisable recovery). Use shutdown-based violations in production only when you have an operational process to clear and re-enable ports.

Challenge Task

On S2 and S3, implement the same unused-port hardening (shutdown + VLAN 99) and configure port-security on their access ports but allow up to 2 MAC addresses per port to support a PC + VoIP phone. Do this without step-by-step guidance — decide which interfaces are PC and which are unused, and apply the same verification checks.