11.6.4 Module Quiz Switch Security Configuration

12 – 33 Questions 10 min

This 11.6.4 module quiz on switch security configuration focuses on how safety switches, key interlocks, and disconnects must be configured under OSHA 29 CFR 1910 and NFPA 70E. Use it to reinforce mandatory training, prevent electrical and machinery incidents, and understand the legal and operational consequences of insecure or bypassed switches.

Start Quiz Explore related quizzes

Part 1 — Questions

Answer each question on paper. Do not turn the page until you are ready to check your work.

In the context of the 11.6.4 module quiz - switch security configuration, which feature is primarily used to restrict how many devices can connect through a single access port?

Port security
Spanning Tree Protocol
Quality of Service
Link aggregation

Port security on a switch can be configured to limit the number of MAC addresses that can be learned on an access port.

True
False

You are standardizing switch management access as part of a switch security configuration effort. Which protocol should you require for remote CLI access to meet security and compliance expectations?

FTP
SSH
TFTP
HTTP

A security review finds that many access ports on your switches are left in the default VLAN and are unused. What is the most appropriate change to improve security?

Leave all unused ports in the default VLAN
Use the default VLAN for management traffic
Trunk all ports to all VLANs
Place unused ports in a dedicated unused VLAN

To meet audit requirements, your organization must be able to review historical switch events related to security incidents. What configuration change is most appropriate?

Automatically clear logs every night
Send logs to a remote syslog server
Disable logging to reduce CPU usage
Enable CDP on all switch ports

Disabling all logging on a switch is an acceptable way to improve performance while maintaining security compliance.

True
False

An auditor requires that administrator logins to distribution switches use centralized accounts and that all commands are logged per user. Which configuration change best satisfies this requirement?

Enable local console passwords only
Disable CDP globally
Use port security on all access ports
Configure AAA with TACACS+ for login and command accounting

Users keep connecting small unmanaged switches under their desks, causing loops and unauthorized device access. Which switch configuration change is the best first step to limit this behavior on access ports?

Increase the spanning tree priority on access switches
Enable port security with sticky MAC addresses
Convert each access port to a routed interface
Allow all MAC addresses on the port

During the 11.6.4 module quiz - switch security configuration scenario, a rogue DHCP server on an access port is giving out incorrect addresses. What should you configure to stop this while allowing legitimate DHCP replies from the core?

LACP on access ports
Port security on all access ports
DHCP snooping with trusted uplink ports
UDLD on uplinks

10.

You must secure remote administrative access to access-layer switches traversing an untrusted network segment. Which configuration best aligns with secure switch management practices?

Enable Telnet and use strong passwords
Enable SSH and restrict access with an access list
Allow SNMPv1 read-write access from any host
Use HTTP for management on all interfaces

11.

Arrange these tasks in the most appropriate order for rolling out a new standard switch security configuration across the network.

Put these in the correct order (write 1–5 beside each):

____Deploy the template to production switches
____Enable monitoring and periodic compliance checks
____Test the template in a lab or pilot environment
____Assess current switch configurations for security gaps
____Define the standard hardened configuration template

12.

To secure unused switch ports in alignment with switch security configuration best practices, which actions should you take? Select all that apply.

A.Administratively shut down unused ports
B.Configure all unused ports as 802.1Q trunks
C.Place unused ports in a non-routed VLAN
D.Mirror unused ports to an IDS by default
E.Enable user authentication on unused ports facing the core

13.

For management traffic, placing switch management interfaces on an out-of-band network and using SSH access is considered a best practice for switch security configuration.

True
False

14.

A compliance rule allows exactly two company-issued devices to connect to a conference room port. If a third device connects, traffic from the unknown device should be dropped but the port must remain operational. Which configuration best meets this requirement?

Set the maximum MAC addresses to 2 and use violation mode restrict
Disable port security and rely on 802.1X only
Set the maximum MAC addresses to 1 and use violation mode shutdown
Use dynamic ARP inspection only on that port

15.

A user connects a small switch to an access port that starts sending superior BPDUs, threatening to change the spanning tree root and destabilize the network. Which feature should you enable on the access uplink-facing ports to prevent this?

BPDU filter on all trunks
PortFast
Loop Guard
Root Guard on uplink-facing access ports

16.

You suspect repeated port-security violations on several access ports. Which indicators would most strongly confirm this suspicion? Select all that apply.

A.The interface status shows err-disabled due to security violation
B.The MAC address table shows hundreds of dynamic MACs on one access port
C.Switch CPU usage averages 5% during business hours
D.Syslog messages report port-security violations from the switch
E.Your NMS receives SNMP traps reporting port-security events

17.

An internal compliance review finds that your switches use SSH, AAA, and DHCP snooping, but all management interfaces and user access ports still reside in VLAN 1. To better align with switch security configuration best practices, what should you prioritize first?

Disable DHCP snooping on all switches
Enable CDP globally on all interfaces
Disable SSH and require console-only access
Move management and user access off VLAN 1 into dedicated VLANs

18.

A security analyst reports a suspected rogue device on a specific access port. To align with safety and compliance practices for switch security configuration, which immediate actions are most appropriate? Select all that apply.

A.Administratively shut down the affected port while you investigate
B.Power-cycle the entire switch stack to "reset" the network
C.Collect and save relevant switch logs and port statistics
D.Immediately erase the switch configuration to clear the threat
E.Notify the security team and document the incident

19.

Using a single flat VLAN for all departments improves security by isolating broadcast domains.

True
False

Part 2 — Answer key

Compare your answers after you have finished Part 1.

In the context of the 11.6.4 module quiz - switch security configuration, which feature is primarily used to restrict how many devices can connect through a single access port?
Port security
Port security on a switch can be configured to limit the number of MAC addresses that can be learned on an access port.
True
You are standardizing switch management access as part of a switch security configuration effort. Which protocol should you require for remote CLI access to meet security and compliance expectations?
SSH
A security review finds that many access ports on your switches are left in the default VLAN and are unused. What is the most appropriate change to improve security?
Place unused ports in a dedicated unused VLAN
To meet audit requirements, your organization must be able to review historical switch events related to security incidents. What configuration change is most appropriate?
Send logs to a remote syslog server
Disabling all logging on a switch is an acceptable way to improve performance while maintaining security compliance.
False
An auditor requires that administrator logins to distribution switches use centralized accounts and that all commands are logged per user. Which configuration change best satisfies this requirement?
Configure AAA with TACACS+ for login and command accounting
Users keep connecting small unmanaged switches under their desks, causing loops and unauthorized device access. Which switch configuration change is the best first step to limit this behavior on access ports?
Enable port security with sticky MAC addresses
During the 11.6.4 module quiz - switch security configuration scenario, a rogue DHCP server on an access port is giving out incorrect addresses. What should you configure to stop this while allowing legitimate DHCP replies from the core?
DHCP snooping with trusted uplink ports
You must secure remote administrative access to access-layer switches traversing an untrusted network segment. Which configuration best aligns with secure switch management practices?
Enable SSH and restrict access with an access list
Arrange these tasks in the most appropriate order for rolling out a new standard switch security configuration across the network.
Correct order: Assess current switch configurations for security gaps → Define the standard hardened configuration template → Test the template in a lab or pilot environment → Deploy the template to production switches → Enable monitoring and periodic compliance checks
To secure unused switch ports in alignment with switch security configuration best practices, which actions should you take? Select all that apply.
Administratively shut down unused ports; Place unused ports in a non-routed VLAN
For management traffic, placing switch management interfaces on an out-of-band network and using SSH access is considered a best practice for switch security configuration.
True
A compliance rule allows exactly two company-issued devices to connect to a conference room port. If a third device connects, traffic from the unknown device should be dropped but the port must remain operational. Which configuration best meets this requirement?
Set the maximum MAC addresses to 2 and use violation mode restrict
A user connects a small switch to an access port that starts sending superior BPDUs, threatening to change the spanning tree root and destabilize the network. Which feature should you enable on the access uplink-facing ports to prevent this?
Root Guard on uplink-facing access ports
You suspect repeated port-security violations on several access ports. Which indicators would most strongly confirm this suspicion? Select all that apply.
The interface status shows err-disabled due to security violation; Syslog messages report port-security violations from the switch; Your NMS receives SNMP traps reporting port-security events
An internal compliance review finds that your switches use SSH, AAA, and DHCP snooping, but all management interfaces and user access ports still reside in VLAN 1. To better align with switch security configuration best practices, what should you prioritize first?
Move management and user access off VLAN 1 into dedicated VLANs
A security analyst reports a suspected rogue device on a specific access port. To align with safety and compliance practices for switch security configuration, which immediate actions are most appropriate? Select all that apply.
Administratively shut down the affected port while you investigate; Collect and save relevant switch logs and port statistics; Notify the security team and document the incident
Using a single flat VLAN for all departments improves security by isolating broadcast domains.
False

1In the context of the 11.6.4 module quiz - switch security configuration, which feature is primarily used to restrict how many devices can connect through a single access port?

2Port security on a switch can be configured to limit the number of MAC addresses that can be learned on an access port.

True / False

3You are standardizing switch management access as part of a switch security configuration effort. Which protocol should you require for remote CLI access to meet security and compliance expectations?

4A security review finds that many access ports on your switches are left in the default VLAN and are unused. What is the most appropriate change to improve security?

5To meet audit requirements, your organization must be able to review historical switch events related to security incidents. What configuration change is most appropriate?

6Disabling all logging on a switch is an acceptable way to improve performance while maintaining security compliance.

True / False

7An auditor requires that administrator logins to distribution switches use centralized accounts and that all commands are logged per user. Which configuration change best satisfies this requirement?

8Users keep connecting small unmanaged switches under their desks, causing loops and unauthorized device access. Which switch configuration change is the best first step to limit this behavior on access ports?

9During the 11.6.4 module quiz - switch security configuration scenario, a rogue DHCP server on an access port is giving out incorrect addresses. What should you configure to stop this while allowing legitimate DHCP replies from the core?

10You must secure remote administrative access to access-layer switches traversing an untrusted network segment. Which configuration best aligns with secure switch management practices?

11Arrange these tasks in the most appropriate order for rolling out a new standard switch security configuration across the network.

Put in order

1Deploy the template to production switches

2Enable monitoring and periodic compliance checks

3Test the template in a lab or pilot environment

4Assess current switch configurations for security gaps

5Define the standard hardened configuration template

12To secure unused switch ports in alignment with switch security configuration best practices, which actions should you take? Select all that apply.

Select all that apply

13For management traffic, placing switch management interfaces on an out-of-band network and using SSH access is considered a best practice for switch security configuration.

True / False

14A compliance rule allows exactly two company-issued devices to connect to a conference room port. If a third device connects, traffic from the unknown device should be dropped but the port must remain operational. Which configuration best meets this requirement?

15A user connects a small switch to an access port that starts sending superior BPDUs, threatening to change the spanning tree root and destabilize the network. Which feature should you enable on the access uplink-facing ports to prevent this?

16You suspect repeated port-security violations on several access ports. Which indicators would most strongly confirm this suspicion? Select all that apply.

Select all that apply

17An internal compliance review finds that your switches use SSH, AAA, and DHCP snooping, but all management interfaces and user access ports still reside in VLAN 1. To better align with switch security configuration best practices, what should you prioritize first?

18A security analyst reports a suspected rogue device on a specific access port. To align with safety and compliance practices for switch security configuration, which immediate actions are most appropriate? Select all that apply.

Select all that apply

19Using a single flat VLAN for all departments improves security by isolating broadcast domains.

True / False

Disclaimer

This quiz is for educational purposes only. It does not replace official safety training, certification, or regulatory compliance programs.

Frequent Errors in 11.6.4 Switch Security Configuration

Misunderstanding the Safety Role of Switches

Many practitioners treat selector switches and keyed switches as convenience controls instead of safety devices. They leave maintenance or bypass positions active during normal production. This defeats OSHA energy control intent and can expose workers to unexpected start up or motion.

Another frequent error is assuming that an estop or interlock switch alone satisfies NFPA 70E electrical safety expectations. The underlying disconnect and lockable isolation are not configured or labeled correctly, so workers rely on a control switch instead of a true energy isolating device.

Incorrect Interlock and Key Exchange Logic

Key interlock sequences are often misconfigured. Keys can be removed in unsafe positions or used in the wrong order. This can allow access to guarded areas while power is still available. Written logic diagrams and physical key numbering must align. Many facilities skip independent functional checks after wiring or PLC logic changes.

Another pattern is changing switch types or locations without updating lockout/tagout procedures. The field configuration then disagrees with the documented sequence, and technicians improvise. That is where incidents occur.

Weak Physical and Cyber Security on Switches

Safety related disconnects and networked switches are sometimes left with default door locks or default passwords. This allows unauthorized people to alter modes, override interlocks, or reconnect isolated equipment. Access control for keys, panels, and configuration tools must match the hazard level.

Finally, teams often fail to record configuration baselines. Without "known good" settings, a quick fix during troubleshooting can leave critical security features disabled permanently.

Scenario Practice for Switch Security Configuration Decisions

Production Line Guard Access

Scenario 1: A packaging line uses a keyed selector switch with "Run", "Setup", and "Maintenance" modes. Operators routinely leave the switch in "Maintenance" so they can clear minor jams with the guard open. Describe the compliant configuration and training changes you would implement to prevent this practice.
Scenario 2: A technician needs to enter a robot cell. The procedure calls for opening a lockable disconnect, applying a personal lock, and transferring a key to an access lock. The technician instead turns a panel-mounted selector to "Safe Stop" and enters. Explain why this configuration and behavior violate OSHA energy control expectations and how the switches should be arranged.
Scenario 3: After a drive upgrade, the PLC logic still allows a safety gate to be opened while a flywheel coasts down. The safety interlock switch remains wired, but its stop signal arrives through new logic with a time delay. Outline how you would review switch wiring, safety function configuration, and documentation to restore fail safe behavior.
Scenario 4: A managed Ethernet switch connects safety PLCs and remote I/O. The installer leaves default credentials and enables unsecured remote management from the corporate network. Describe the specific configuration controls and account restrictions required so that only authorized personnel can modify settings that affect safety related functions.
Scenario 5: During an audit you discover that several field disconnect switches have missing lock hasps and inconsistent position labels. Workers report that they "usually" know which way is off. Explain how you would correct labeling, locking provisions, and verification steps to align with NFPA 70E and OSHA expectations.

Authoritative References for Switch Security and Energy Isolation

Standards and Guidance on Safe Switch Configuration

OSHA 29 CFR 1910.147 Control of Hazardous Energy: Primary U.S. standard for lockout/tagout programs, including requirements for energy isolating devices and retraining after changes to controls.
OSHA Publication 3075: Electrical Safety-Related Work Practices: Explains OSHA electrical standards in Subpart S and how they apply to disconnects, control switches, and safe work practices.
OSHA Lockout/Tagout Guide: Plain language booklet on hazardous energy control with examples of proper isolation, switch selection, and employee responsibilities.
ESFI Overview of NFPA 70E: Summarizes NFPA 70E electrical safety in the workplace and highlights practices for safe operation and maintenance of electrical equipment and disconnects.

11.6.4 Switch Security Configuration Quiz FAQ

Common Questions on Switch Security Configuration and Safety Compliance

What does the 11.6.4 module quiz on switch security configuration actually cover?

The quiz focuses on how safety switches, selector switches, key interlocks, and disconnects must be configured to support OSHA hazardous energy control and NFPA 70E electrical safety. Questions emphasize safe modes of operation, proper isolation, and how configuration choices affect real incident risk.

How does switch security configuration relate to OSHA lockout/tagout rules?

OSHA expects hazardous energy to be controlled with energy isolating devices that can be locked and verified. Switch configuration determines whether those devices are clearly identified, lockable, and used instead of simple control circuit stops. Poor configuration encourages informal shortcuts that bypass written lockout/tagout procedures.

Why is NFPA 70E referenced in a quiz about switches and not only about PPE?

NFPA 70E addresses electrical safety programs, risk assessment, and equipment condition, not just personal protective equipment. The way disconnects, interlock switches, and control panels are configured affects arc flash and shock exposure. The quiz checks that you connect switch design and settings to NFPA 70E safe work practices.

Does this quiz address both functional safety and cybersecurity of switches?

Yes. The primary focus is functional safety and prevention of unexpected energization. Several questions also examine password control, remote access, and configuration management on networked switches, because unauthorized changes can defeat safety functions and create compliance gaps.

How should I prepare before taking the 11.6.4 module quiz?

Review your facility lockout/tagout program, one line diagrams, and any procedures that describe safe states and switch positions. Study how interlock switches, keyed modes, and main disconnects are identified and locked. If available, read your site electrical safety program that references OSHA 1910 and NFPA 70E.

How can I use quiz results to reduce workplace incidents?

Identify topics you miss, such as key exchange logic or default credentials on managed switches. Compare those gaps to your current installations. Use that comparison to update procedures, labeling, and switch settings, and to plan refresher training for electricians, operators, and maintenance staff.