Answer: Basic Port Security 2

By certskills October 24, 2015 12:10

No fluff – just straightforward config. First do the lab as listed in the earlier post, that is, try it for yourself. (For you test takers, the point is that you learn better if you try first – it’s not a punishment, but an opportunity!) Then come back here and check your answer and your logic.


Example 2: SW1 Config with Port Security Added



Often the configuration of port security does not need to be overly complex. As long as a few basic points about a port security implementation are known, these include:

  • Port Security is disabled by default
  • Once enabled, each port is allowed only a single MAC address by default
  • The default violation mode is to shutdown the port resulting in a port in the err-disabled state
  • A violation occurs if a frame is received from a MAC address not in its secure MAC address table
  • The port security feature is not supported on dynamic mode ports

Another configuration option of the port security feature is to automatically convert dynamically learned MAC addresses to static secure MAC addresses. So what does this mean? Normally when an address is learned it will be counted against the secure MAC address limit (remember the default is 1) but this MAC address will not be placed into the configuration – it’s just in an internal table used by the port security feature. Should the switch be rebooted, the MAC address linked to the interface will be reset to the first one it sees traffic from. The alternative to this is to statically configure the MAC addresses of every attached interface; this is a time consuming task that is not feasible for most administrators; the alternative is to use sticky learning.

When using sticky learning the interface will listen for a device (or devices) on an interface. The first MAC address that is seen on the interface will be placed into the running configuration as a statically configured secure MAC address (this also works for multiple MAC addresses should the maximum be increased from its default of 1). All the administrator needs to do is wait for all the expected devices to send traffic and be seen by the switch. Once this is done then the only task left is to save the configuration.

Following the configuration in order:

  • The switchport mode access command changes the port from its default dynamic status to statically be an access port.
  • The switchport port-security command enables port security with all defaults.
  • The switchport port-security sticky command tells port security to record into the running-config any learned MAC addresses that are legal (in other words, those that are not considered violations).
  • The relevant defaults are: 1 MAC address per port.

Finally, you could have configure the three subcommands as shown in Example 3, using the interface range command, to save some typing.


Example 3: Using the interface range Command to Save Typing


Basic Port Security 2
Trunking for Only Some VLANs
By certskills October 24, 2015 12:10
Write a comment


  1. George August 16, 16:35

    If I understand correctly, a hacker could still defeat the port security config above if they have access to AC power on the switch. Toggling power would allow a window of time for the hacker to plug in a laptop and have its mac-address be accepted as the first sticky address. If the user had saved the running-config to the startup config, that window would be eliminated. Am I correct?

    Reply to this comment
  2. Barbara November 3, 16:39

    Just a thought on George’s comment.
    If the power to the switch was toggled, then wouldn’t the fact that sticky was enabled on a port also be ‘forgotten’ on switch reboot (assuming that the running-coinfig hadn’t been previously saved to the startup-config)?. In fact, woudn’t *all* port-security be forgotten on reboot, if it wasn’t previously saved to the starup-config?

    Reply to this comment
  3. Roseli March 31, 17:38

    Hey, thank you for your dedication to us, Wendell. I’ve been learn so much with you.
    The link Question to this Answer isn’t exist. Can you verify, pls?

    Reply to this comment
  4. sanjinb September 7, 06:33

    is it sticky option default ? If it is, what is diference between default option and when we configure port security mac-address sticky?

    Reply to this comment
    • CCENTSkills September 7, 11:21

      Short answer, no, sticky is not the default.
      Sticky: dynamically learn, and then add a configuration command to running config, so if saved, it looks like a statically-configured address for port security.
      Not sticky (ie leaving it out): dynamically learn, use the info, but do not create config and do not save the learned info across reloads.

      Reply to this comment
  5. Nelson Paiva July 20, 09:26

    Hi Wendell,

    So if I understood correctly, once a port learns a mac address through sticky, if you save the running config to startup config, it will be “the same” as if you had manually assigned a mac address to that port? Thank you so much for your insight.


    Reply to this comment
    • certskills Author July 26, 16:36

      Correct! nice way to build the config when starting out – hoping that it’s not in the middle of some attack. 🙂

      Reply to this comment
  6. JP August 21, 14:59

    Was I wrong to do the following?

    interface FastEthernet0/1
    switchport mode access
    switchport port-security
    switchport port-security mac-address sticky
    switchport port-security mac-address 0200.0000.1111
    I’m guessing the sticky would dynamically learn PC1 MAC and save it since its the only one connected to the ports.. Is that why the mac-address entry table is not needed?

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.