Config Lab: Basic Port Security 4

Wendell Odom
By Wendell Odom October 5, 2021 15:05

The Cisco switch Port Security feature lets the switch monitor incoming frames, look at the source MAC address, and determine whether frames with that source address should or should not be allowed into the switch. As usual for these config labs, this one plays it straight, with straightforward requirements to configure. Details below the fold.

All about Config Labs

The blog has a series of lab exercises called “Config Labs.” Each lab presents a topology with the relevant initial configuration for each device. The lab also lists new requirements, after which you should create the additional configuration to meet those requirements. You can do the lab on paper, in a text editor, or use software tools like Cisco Packet Tracer or Cisco Modeling Labs.

Once you have created your answer, you can click various tabs at the bottom of this post to see the lab answers, comments about the lab, and other helpful information.

The Lab Exercise

The Network, Initial State, and Rules

This lab uses the simple LAN shown in Figure 1. It shows two switches connected by a link, with a router on the side.

Figure 1 – Lab Topology


This lab begins with the router configured correctly but ignores the router configuration, focusing on the links between the PCs and the switches. However, for this exercise, the initial config has no real impact on configuring the switches for the new requirements.

Example 1: SW1 Initial Config


Example 2: SW2 Initial Config


For this lab:

  • The router has been configured already and is working.
  • The router is connected to other links, not shown; those links are entirely unimportant to the lab.
  • This lab uses only CCNA concepts, so the link between the two switches is not a VLAN trunk, and only the default VLAN (VLAN 1) is in use.

Now that you have the background, the rest of this post spells out your tasks.


Problem: Configure to Match the Requirements Table

This exercise does not match what you might do in real life because it asks you to do many different options in one small LAN. However, it does allow you to exercise the various command options. For this lab, configure the switch ports, so port security does the different combinations of features listed for each of the six PCs in the figure. That’s it!  The types of configuration settings include:

  1. The action (violation mode) the switch takes when a violation occurs: shutdown, protect, and restrict
  2. Whether the one PC’s MAC should be learned dynamically or statically configured
  3. Whether the switch should make a dynamically-learned MAC be “sticky” and remember it for later
  4. The maximum number of MACs that may be associated with the port.

The MAC addresses of the six PCs should be considered to be 8 hex zeros, with the last four digits matching the PC’s number. EG, PC1’s MAC is 0000.0000.1111; PC2’s is 0000.0000.2222, and so on.

Number of MACs 1 1 2 2 3 3
Dynamically learn MAC? Y N Y Y N Y
Sticky? N N Y N N Y
Violation mode Shut. Prot. Rest. Shut. Prot. Rest.

Table 1: Configuration Combinations


As a final requirement, you should configure only the required parameters. Do not configure any commands that could be picked up by default. That’s it! Jump in, and try a few.

Answer Options - Click Tabs to Reveal

You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!

To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.

You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.

(Use this link for more information about Cisco Packet Tracer.)

Use this workflow to do the labs in Cisco Packet Tracer:

  1. Download the .pkt file linked below.
  2. Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
  3. Add your planned configuration to the lab.
  4. Test the configuration using some of the suggestions below.

Download this lab’s Packet Tracer File

You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.

If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:

  1. Download the CML file (filetype .yaml) linked below.
  2. Import the lab’s CML file into CML and then start the lab.
  3. Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
  4. Add your planned configuration to the lab.
  5. Test the configuration using some of the suggestions below.

Download this lab’s CML file!


Network Device Info:

This table lists the interfaces listed in the lab exercise documentation versus those used in the sample CML file.

Device Lab Port  CML Port
SW1 F0/1 G2/1
SW1 F0/2 G2/2
SW1 F0/3 G2/3
SW1 F0/11 G1/1
SW2 F0/4 G3/1
SW2 F0/5 G3/2
SW2 F0/6 G3/3
SW2 F0/7 G0/1
SW2 F0/12 G1/2

Lab Answers Below: Spoiler Alert

Lab Answers: Configuration (Click Tab to Reveal)

Problem 1 Review, Switch SW1

To get things started, go back and check the original problem post for the details. For quick reference, Figure 1 repeats the topology, Table 1 repeats the requirements, and the notes just before the table list the MAC addresses.

Figure 1 – Lab Topology

MAC Addresses:

The MAC addresses of the six PCs should be considered to be 8 hex zeros, with the last four digits matching the PC’s number. EG, PC1’s MAC is 0000.0000.1111; PC2’s is 0000.0000.2222, and so on.

Number of MACs 1 1 2 2 3 3
Dynamically learn MAC? Y N Y Y N Y
Sticky? N N Y N N Y
Violation mode Shut. Prot. Rest. Shut. Prot. Rest.

Table 1: Configuration Combinations


The configurations for Problem 1 on both SW1 and SW2 are listed below.

Example 1: SW1 New Config


Example 2: SW2 Config

Commentary, Issues, and Verification Tips (Click Tabs to Reveal)

This lab asks for a variety of port security settings so that you can exercise your skills with the various port security configuration commands. Looking at the table, note that the middle two rows about whether the port dynamically learns MAC addresses and whether it uses sticky shows a repeating pattern. So, the related actions on the switchport port-security mac-address command on SW1 ports F0/1, F0/2, and F0/3 also happen on SW2 ports F0/4, F0/5, and F0/6, respectively. More generally:

switchport port-security – All six ports need this subcommand to enable port security.

switchport port-security maximum number – Ports F0/1 and F0/2 do not need the command, because this command defaults to a maximum of 1, and the lab calls for a maximum of one MAC per port for those ports. The other ports in the lab require the command.

switchport port-security mac-address address – Ports F0/2 and F0/5, per the table, do not dynamically learn their addresses, and do not use sticky, so they use this command.

switchport port-security mac-address sticky – Ports F0/3 and F0/6, per the table, should dynamically learn MAC addresses by using the sticky option, so they use this command.

switchport port-security violation mode {shutdown | restrict | protect } – Ports F0/1 and F0/4 do not need this command as they use the default setting of shutdown. The other ports use either restrict or protect per the table.

Known Issues in this Lab

This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:

# Summary Detail
1 None No known issues related to this lab.


Why Would Cisco Packet Tracer Have Issues?

(Note: The below text is the same in every Config Lab.)

Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.

CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.

Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, there should be no violations. But you could re-configure the PCs to cause a few violations based on MAC addresses. 

  1. On the hosts, confirm the IP address and MAC address settings match the figure as supplied in the lab.
  2. On switch ports with pre-defined MAC addresses, change the PCs’ MAC address. Then attempt to ping other devices. This will send traffic, with an incorrect source MAC address compared to port security.
  3. Similarly, for ports that use the sticky option, generate packets from the PC using ping. Then change the PCs’ MAC addresses, and re-test using ping. That should also cause a violation.
  4. From the switch, use commands like show port-securityshow port-security interface, and show port-security address to confirm whether port security worked as expected.

More Labs with Related Content!

Config Lab: Basic Port Security 3
Config Lab: DHCP Relay
Wendell Odom
By Wendell Odom October 5, 2021 15:05
Write a comment


  1. derod February 14, 13:49


    I hope all is well.

    I think your lab Commentary is from a different lab!

    Thank you

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.