This article covers the Infrastructure Security section from the CCNA Routing and Switching exam. The exam consists of 60-70 questions. Since the Infrastructure Services section represents 11% of the entire curriculum, you can expect six to eight questions on those topics.

We will cover port security, access layer threat mitigation techniques, access control lists (ACLs), basic device hardening and device security using AAA. The first two topics are exclusively applicable to switches, and we will deal first with port security.

Configuration, Verification and Troubleshooting Port Security

It is important to understand what port security is so that you can recognize whether you are dealing with a question related to that subject. You will need to know through which methods a host can get access to the network after port security is activated and what the difference is between them; more specifically, which method requires manual configuration of the secure Media Access Control address (MAC) and which does not.

You should be aware that it is possible to specify how many MAC addresses can be learned over a given port. With regards to a sticky MAC, you will need to know what happens with a MAC address that is learned over the port where sticky was enabled and how the switch configuration is affected when a sticky MAC is learned.

Everything is fine until someone unauthorized tries to access the network. In this case, it is important to know what happens right after the unauthorized access attempt, at which point comes the violation actions that determine what the switch does with that port. You should have a clear understanding what each of the three violation actions means. In addition, you should be aware of the default values of the maximum MAC addresses and the violation type when the minimum port security configuration is enabled on a port.

As for port security configuration, keep in mind that the port has to be an access port first; after that, port security can be enabled. For verification, there is the possibility of getting a brief status of port security at switch level or at interface level for detailed information.

The most common issues with port security are related to human mistakes. Specifically, cases where the number of MAC addresses allowed is different than what was expected or where the MAC address was typed incorrectly. That’s why it’s a good idea, when troubleshooting a port security issue, to compare the configuration of the interface with the operational output.

One last thing about port security concerns: you should be familiar with the state in which an interface is put when there is a shutdown violation configured on the port and there is a violation. You should know how to recover from this state.

Access Layer Threat Mitigation Techniques

The next topic is access layer threat mitigation techniques. Again, this concerns how to restrict network access to only authorized devices.

The first level of security is dot1x. You should clearly understand the role of a supplicant, authenticator and authentication server.

The next level of security is about DHCP snooping. In order to understand the purpose of DHCP snooping, you need to know what DHCP messages are and in which order the messages are exchanged between a DHCP client and a DHCP server. Also, make sure you understand what trusted and untrusted interfaces are and what devices can be connected on these two types of interfaces. One other key item that you should be aware of is the DHCP snooping database, and what it contains.

The focus for this section should be on understanding dot1x and DHCP concepts, because the configuration for dot1x and DHCP snooping is not part of the exam. This particular subsection is pretty straightforward and is mostly built on other features like DHCP, which is already covered by the infrastructure services section of the syllabus.

Configuration, Verification and Troubleshooting IPv4 and IPv6 Access List

Probably the most important topic of this section is the ACL. When preparing for this topic, you should review the port numbers and protocols for the most common applications. When dealing with ACL, you usually block specific applications, so you need to know the port numbers. Of course, you might get the port numbers or the port names from the CLI context, but this is not always available.

Regarding the specifics of the ACL, you should clearly identify the differences between the three types of ACLs. One of them can filter only based on the source, while others can filter with more granularity. In addition, based on the ACL type one must be configured closer to the protected resources, while others can be configured as close as possible to the source that tries to access the protected resources.

One other thing you should be aware of is the ACL number intervals and what intervals are allocated to the specific types of ACLs.

You should always remember the implicit rule that if there is not at least one permit rule, all the traffic will be dropped, and that the order of the rules matters. Also, an ACL might be the reason why you can access a specific port on a host but you cannot access another port on the same host.

It is important to understand the traffic flow in the network based on the way the ACL will be built and applied to the correct direction on the interface. You should also be aware that there is a possibility of identifying a blockage between two devices in the network using a trace analysis tool like APIC-EM.

With regard to troubleshooting ACLs, most of the problems happen because the order of the rules’ importance is forgotten and the traffic matches a lower sequence number rule instead of the intended one. One other thing you should pay attention to is when the ACL is attached to the interface. A simple typo can attach a non-existing ACL and trigger an unexpected behavior.

Basic Device Hardening

Another important security topic is how to harden device security. You should know how to configure username and password for local authentication and how to ensure (via encryption) that a password does not show up in clear text in the configuration.

You should be able to identify the differences between local authentication and TACACS authentication, and how to configure each of them.

Regarding access to the device, you must be able to configure separate authentication for console access and VTY access. For the latter, you will need to know how to allow telnet or SSH over VTY lines.

Device Security Using AAA

As for device security using AAA, you will need to know which protocol is using TCP and which one is using UDP, which one encrypts only the password and which one encrypts the entire message, which is Cisco-proprietary and which is based on an open standard and, finally, which one of them keeps a separation between authentication, authorization and accounting.

From the configuration point of view, there are not many differences (very often you just need to change radius keyword with TACACS), so once you figure out one of the protocols, you can apply the logic to the other one.


This article has covered all the topics from the infrastructure security section of the CCNA exam syllabus. Following these guidelines should increase your chances to get most or all of the points allocated to this section. Good luck!

Be Safe

Section Guide


View more articles from Paris

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide


View more articles from Paris