Quiz Entry - updated: 2026.07.05
What is the first step in securing a switch, and how do you disable unused ports efficiently?
The first step is to disable all unused ports using the shutdown command. Use interface range to configure multiple ports at once.
Why disable unused ports?
- Layer 2 attacks are easy to deploy — an attacker just needs physical access to an open port
- An unused port that's left enabled is an open invitation for unauthorized devices
- All ports should be secured before the switch is deployed for production use
Disabling a range of unused ports:
Switch(config)# interface range FastEthernet 0/8 - 24
Switch(config-if-range)# shutdown
Additional best practices for unused ports:
- Assign them to an unused "black hole" VLAN (Virtual Local Area Network):
switchport access vlan 999 - Set them explicitly to access mode:
switchport mode access - This way, even if someone re-enables a port, it's in an isolated VLAN
Re-enabling a port later:
Switch(config)# interface FastEthernet 0/8
Switch(config-if)# no shutdown
Tip: In practice, "secure unused ports" almost always means: shutdown + assign to unused VLAN + set to access mode.
Go deeper:
Securing Unused Ports (PivIT Global) — the layered practice: shutdown + access mode + black-hole VLAN, with interface-range examples.