Answer: Basic Port Security 3

By certskills December 5, 2015 12:05

No fluff today – just straightforward config. First do the lab as listed in the earlier post, that is, try it for yourself. (For you test takers, the point is that you learn better if you try first – it’s not a punishment, but an opportunity!) Then come back here and check your answer and your logic.


Example 2: SW1 Config Answers



Often the configuration of port security does not need to be overly complex. As long as a few basic points about a port security implementation are known, including:

  • Port security is disabled by default
  • Once enabled, each port is only allowed a single MAC address by default
  • The default violation mode is to shutdown the port resulting in a port in the err-disabled state
  • A violation occurs if a frame is received from a MAC address not in its secure MAC address table
  • The port security feature is not supported on dynamic mode ports

There are three different violation modes that are configurable with the port security feature: shutdown, restrict, and protect.

Shutdown: The shutdown violation mode is the default and will automatically disable a port and place it into an err-disabled state should a violation occur.

Restrict: The restrict violation mode will drop all offending traffic (from MAC addresses that are not configured and over the maximum MAC count configured) AND increment the security violation counter AND send a violation message (via SNMP). Restrict mode does not, however, move the port to an err-disabled state, which means that non-violating traffic still works.

Protect: The protect violation mode will drop all offending traffic but NOT increment the security violation counter or send SNMP traps for violations.


Following the configuration in order:

  • The switchport mode access command changes the port from its default dynamic status to statically be an access port.
  • The switchport port-security command enables port security with all defaults.
  • The switchport port-security violation protect command tells port security to change from the default shutdown mode to instead use protect mode.
  • The relevant defaults are: 1 MAC address per port, which is the first learned MAC on the port.

Finally, you could have configure the three subcommands as shown in Example 3, using the interface range command, to save some typing.

Example 3: Using the interface range Command to Save Typing


Basic Port Security 3
OSPFv3 Costs and Multipath
By certskills December 5, 2015 12:05
Write a comment


  1. Enrique October 18, 19:31

    The website states that “The port security feature is not supported on dynamic mode ports.” I just started reading the new ICND1 book and it states that we can do port-security on trunking ports.

    In addition, I loaded Packet Tracer version and it also states that port-security is not supported on dynamic ports.

    Would you be able to clarify?

    Reply to this comment
    • CCENTSkills October 19, 08:01

      Hi Enrique,
      Sure. Short version is this:
      The port must be configured with:
      switchport mode trunk
      switchport mode access

      That way, the port is not dynamically choosing whether to be a trunk or access port.

      If the port is configured with
      switchport mode dynamic desirable
      switchport mode dynamic auto

      Then it cannot also be configured with port security.

      Hope this helps…

      Reply to this comment
  2. HectorJ November 22, 01:28

    Next comment is just a suggestion.

    In the “CCENT/CCNA ICND 1 100-105” book there’s an example like this:

    interface FastEthernet0/3
    switchport mode access
    switchport port-security

    and nothing else. And the related text establishes just that
    “Interface F0/3 uses default maximum of one MAC address”.

    My point is: what I understood is that restriction is just about the number MAC addresses that interface is validating, not the MAC address itself.

    I think that it might be worth especifing on the book what you wrote down on this exercise:

    “The relevant defaults are: 1 MAC address per port, which is the first learned MAC on the port”

    Thanks in advance, again.

    Reply to this comment
  3. abrakour April 3, 16:37

    Hello Wendell, everyone,

    (sorry for the long comment but bear with me because I really make a point in the end)

    I just configured this simple network. A switch (SW1) and three (3) Generic PCs (PC1, PC2, ATTACKER) and gave IPs to (PC1, PC2) just to be able to ping each other. I also configured the “ATTACKER” PC (which is disconnected from the switch initially) to have the SAME IP as PC1.


    PC1——SW1—–PC2 (ATTACKER)

    I configure the default port security exactly as shown here for both G0/1 (PC1) and G0/2 (PC2).

    switchport mode access
    switchport port-security
    switchport port-security violation protect

    -I send an ICMP req from PC1 to PC2. Goes through (as normal)
    -I disconnect PC1 from the G0/1 and connect ATTACKER to it (drag-drop the cable from one to the other).

    (PC1) ATTACKER—–SW1—–PC2

    -I send an ICMP req from ATTACKER, this time, to PC2 and goes through too (!).

    Hasn’t G0/1 learnt PC1’s MAC in the first ICMP?
    (NOTE) All three (3) MACs are different.

    Does the “default” mean “Let only one MAC address at-a-time”. Would that make sense in “access” mode?

    “Sticky” gets (apparently) the job done.

    Very confused.

    Sorry for the lengthy comment and thank you in advance.


    Reply to this comment
    • CCENTSkills April 5, 06:42

      Hi AK,
      If I follow your example, you are physically moving the cables between PC1 and PC2? If so, both switch interfaces will fail, and then recover once plugged back in. That will reset any dynamically-learned entries.

      Sticky will complete your experiment as you expected because sticky will write the mac address to the running-config.

      So, re-test, and before issuing the ping test after swapping the PCs, do all your favorite show mac address-table and other port-security commands and check. You shouldn’t see any of the MACs that were learned earlier showing up in the output.

      Hope this helps,

      Reply to this comment
      • abrakour July 14, 13:19

        Hi Wendell,
        I get what you say. So is “sticky” the way to go when configuring in real life? Because switching cables is a relatively easy task. I feel that I am dangerously generalizing here, but the “non-sticky” configuration does not prevent this from happening.

        Thank you,

        Reply to this comment
        • CCENTSkills July 21, 09:29

          Abrakour – nice turn of phrase “dangerously generalizing”. Yes, there is so much about CCNA that’s about what you can do, but not necessarily about what’s best to do – that’s really more the design track. Not that CCNA sets about to show the wrong way to do things, but more that it requires us to understand the peculiarities of the commands and protocols. Glad we closed the loop though on that one specific point.

          Reply to this comment
  4. Bav May 13, 09:36

    Hi wendell,

    I just tried this in packet tracer. All devices connected and both PCs can ping each other. I then disconnect one of the PCs and connect a 3rd PC to the switch. I was still able to ping PC2.

    I was expecting the traffic to be blocked as the MAC of the 3rd PC doesn’t match that of the 1st PC.

    Is this related to your explanation above? Thanks

    Reply to this comment
    • CCENTSkills May 15, 09:11

      Hi Bav,
      No, that’s unrelated. I’ll call that an inconsistency between real gear and PT. πŸ™‚ Frames sent into the switch, by a device with a MAC that’s not in the list of allowed MAC addresses in this scenario, would have their frames discarded.

      Reply to this comment
      • CCENTSkills May 15, 09:13

        Ah, I see your next comment, and it hits me. To transition to the new PC (PC3), the process probably brought the interface down, removing the old secure MAC table entry, making room for the new one. Then later, when you used sticky, the entry isn’t removed by the process, so it prevented the frames sent by the new PC.

        Reply to this comment
  5. Bav May 13, 09:38

    Just to add I did later try this with sticky and it worked as expected.

    Reply to this comment
  6. JD April 8, 15:55


    Going through the book I noticed two things. After all my port security settings are in place here is what I noticed.

    1) The show mac address-table secure interface fa0/x command doesn’t seem to work on my catalyst 2950. However, the mac address does show up in my static table. I see in the book OCG book page 208 that it shows the same command working. Am I doing something wrong.

    2) What I am not completely understanding is default settings for port security in regards to the mac-addresses. Is the default settings for mac address is that “sticky” is implied or is that I can plug whatever cable into the same port and as long as their is only one mac address, the no port violation occurs?

    As a side note, I started from scratch and enabled port security on all ports. I plugged computer in to port fa0/22 and pinged the vlan IP successfully. I then unplugged computer from that port and plugged a different computer in to the same fa0/22 and pinged the vlan. I found that the port is still active and online.

    Reply to this comment
    • CCENTSkills April 9, 10:25

      Hi JD,
      Thanks for the note. On your points:
      1) 2950’s were replaced by 2960’s around… 2005? 2006? So it’s not a big surprise that some commands aren’t supported on the 2950’s. I don’t see anything that you’re doing wrong based on your comments in #1 at least.

      2) The default does not include sticky, but I think you’re not quite getting the idea in how you set up your either/or choices in the last sentence of your #2. So, here’s what’s true: sticky is not the default. By default, port security allows a single dynamically-learned MAC on each port before it considers a violation to have occurred. So for your choices, by default it’s “no switchport port-security mac-address sticky” and “switchport port-security maximum 1”

      3) In your experiment, when you unplug the PC, the interface fails. That removes the dynamically learned MAC address on that interface. When you add the 2nd PC to that same port, it’s MAC is learned, but there’s still only one MAC address. To test: put a second switch on that port, put both PCs off the 2nd switch, and then ping something on the first switch from both your test PCs. That’ll cause the first switch to try and learn two MACs, and cause a violation.

      Reply to this comment
  7. Red Dawn August 10, 06:17

    Hi Wendell, when I click on chapter 10 100-105 part 3, it comes up with, ‘no articles found’. Therefore, I was not able to do any config labs or questions for chapter 10 in the book. I would really appreciate it if you could restore the chapter 10 material.

    Many thanks

    Reply to this comment
    • certskills Author August 13, 14:33

      Hi Red,
      It’s not an omission. I just happen to have never written any posts related to ICND1 100-105 chapter 10. The menu system provides a link to each chapter; there may be a few for which there are no related posts. Sorry about that. Also, chapter 10 is all design anyway – no labs possible for that chapter anyway.

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.