Why aren't Security features on Cisco switches used.

Posted on 2011-10-13
Last Modified: 2012-05-12
I have not seen any of these security features implemented? Dynamic ARP inspection, DHCP snooping, IP source guard, root guard, 802.1x, port security.

BPDU guard and port channel misconfiguration and of course TACACS and SSH are commonly used.

We learn about them in the CCNA and CCNP but everywhere I go it seems that they are not used?

Maybe other companies use them but I have not seen them used.
Question by:Dragon0x40
    LVL 26

    Accepted Solution

    Many companies use DHCP Snooping and it's recommended to do so. Many companies use port security too. 802.1x is not used in many places, but is starting to gain ground in company deployment. I am currently engrossed in an 802.1x project right now.

    I think it's just that you haven't seen them used.
    LVL 8

    Assisted Solution

    I agree with you Dragon, you dont see those types of features turned on nearly as much as they should be. People do make sure thy turn on features like port fast though (usually after a computer fails to pull an IP or a user complains about slowness.)
    My only answer would be there are a lot of either lazy or incompetent people out there. If it doesn't fall under the category "necessary to get everything working correctly" it gets back burnered or never done.

    They will learn their lesson when soeone plugs in a switch and the network seizes up.
    LVL 12

    Assisted Solution

    It's because people aren't properly trained on how to set them up.

    In addition, enabling those features increase the complexity of the network. If you organization that is using these switch don't have the staff to manage them, they can be more work than they are useful.
    LVL 6

    Assisted Solution

    Echoing what @jjmartineziii has said really.  You often find that many spanning tree stability mechanisms such as loop guard, root guard and udld are not used either.  Generally I think because people are simply not aware of them or how/why to use them.  The same applies to DHCP snooping (although to a lesser extent), Dynamic Arp Inspection and IP source guard.  Switchport Port security though is often used, although I've never seem dot1x port authentication implemented.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now