Basic Port Security 2

By certskills October 22, 2015 12:10

Quick, can you name all the small options available with Cisco’s port security feature on Catalyst IOS images? Most of us can’t, unless we’re in the middle of studying for CCENT, CCNA, or CCNP R&S SWITCH. But this blog is meant to help you prepare for a couple of those, so here’s another chance to review and recall those options with another basic port security lab.



You need to configure port security on some access ports on a Catalyst switch. You do know that only one device should connect to each switch port. However, you do not know the MAC address of each device.

Your job in this lab: enable port security on the requested ports, allowing one and only one device to send traffic through the port. Also cause the switch to learn the first MAC that sends traffic, and remember that MAC address for the long term.

The specific rules for this lab are:

  • Enable port security on all displayed access interfaces in the figure
  • Configure port security so that all valid learned MAC address will be automatically converted to secure MAC addresses
  • Allow only one MAC address to send frames into the port
  • Use default settings where possible, and do not configure any settings that are not required
  • As an added bonus, consider how to configure any interface subcommands two different ways: any interface commands per-interface, or one time for all interfaces


Figure 1: Single Switch


Initial Configuration

While you might be able to configure port security based on the information supplied so far, the initial configurations of the switch might be helpful, as shown in Figure 1.

Example 1: SW1 Config


Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure it there. If you do attempt this lab on a real OS, you can test by setting your test hosts to use the same MAC addresses shown in the figure, seeing them work, and then setting the MAC addresses to different values, and hopefully seeing port security filtering the traffic.


Do this Lab with Cisco’s CML (Formerly VIRL)

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for Cisco Modeling Lab – Personal (CML-P). CML-P replaces Cisco Virtual Internet Routing Lab (VIRL) software, in effect serving as VIRL Version 2.

Below, find two files: a file useful with CML-P and another useful with VIRL. (Note that the CML-P file has a .yaml filetype, while the older VIRL file has a VIRL filetype.) Once the file is loaded, CML-P or VIRL will create a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well.

This lab’s CML file!

This lab’s VIRL file!


Network Device Info:

This table lists the interfaces listed in the lab exercise documentation versus those used in the sample .YANL/.VIRL file.


Device Lab Port CML/VIRL Port
SW1 F0/1 G0/1
SW1 F0/2 G0/2
SW1 F0/3 G0/3
SW1 F0/4 G1/0


Host device info:

This table lists host information pre-configured in CML/VIRL, information that might not be required by the lab but may be useful to you.


Device IP Address Mac Address User/password
PC1 02:00:00:00:11:11 cisco/cisco
PC2 02:00:00:00:22:22 cisco/cisco
PC3 02:00:00:00:33:33 cisco/cisco
PC4 02:00:00:00:44:44 cisco/cisco



Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4

Trace example: tracepath

To connect to another node within the topology: telnet

Answers: OSPF Interface Config 1
Answer: Basic Port Security 2
By certskills October 22, 2015 12:10
Write a comment

No Comments

No Comments Yet!

Let me tell You a sad story ! There are no comments yet, but You can be first one to comment this article.

Write a comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.