Requirements
Your job: configure port security on SW3 so that both devices off port F0/3 can send data through the switch, but that no other devices can send data through SW3’s F0/1 port. To begin the lab, all switches work, all interfaces shown are up and working, and none of the switches have been configured with port security.
The specific rules for this lab are as follows:
- Allow traffic from PC3 and PC4 into SW3’s F0/1 port, but disallow traffic from other sources
- Pre-define all MAC addresses for port security
- All other port security settings unnecessary to the above should be left as defaults
- If choosing a numeric parameter, and many values would work, choose the smallest number that would work.
On that last point about choosing numbers, in case it is unclear, consider this example. If a number could be set to a value between 1 and 1000, pick 1. That way, your answer will likely look more like my answer.

Figure 1: Switch Triangle
Initial Configuration
While you might be able to configure port security based on the information supplied so far, the initial configurations of the three switches can also be helpful. Examples 1, 2, and 3 show the beginning configuration state of SW1, SW2, and SW3.
hostname SW1
!
interface GigabitEthernet0/1
no shutdown
!
interface GigabitEthernet0/2
no shutdown
!
interface FastEthernet0/1
no shutdown
switchport mode access
Example 1: SW1 Config
hostname SW2
!
interface GigabitEthernet0/1
no shutdown
!
interface GigabitEthernet0/2
no shutdown
!
interface FastEthernet0/1
no shutdown
switchport mode access
Example 2: SW2 Config
hostname SW3
!
interface GigabitEthernet0/1
no shutdown
!
interface GigabitEthernet0/2
no shutdown
!
interface FastEthernet0/1
no shutdown
switchport mode access
Example 3: SW3 Config
Hello Mr, Wendell, the requirements text state that the interfaces to be configured are F0/3 & F0/0, but the diagram shows otherwise.
Hi,
Yep, all true. Several mistakes in the lab. I’ve reviewed it, and I think I caught them all. All text, examples, etc should refer to the various switches’ F0/1 ports. Thanks for letting me know.
Wendell
Hi sir,
I downloaded CPT version but, it was incompatible with the ver I’m using(7.2.0.0226). Paper/editor & Cisco modeling labs versions don’t work as well. I recommend to type commands in .txt file and upload for us.
Thanks
Hi Davood,
Thanks for the input and suggestion. Two responses:
1) What would you like to see in the text file you suggested that’s not already available on the page? This page includes all the initial config for each device as well as the configuration needed to answer the lab. I’m not sure what else I could supply for you to do the lab – please clarify.
2) If you update to a more recent version of Packet Tracer, you can do the labs in packet tracer. I believe you’d have a much more useful experience doing that rather than making these a paper exercise. Here’s a page that details how to get the latest Packet Tracer for free. https://blog.certskills.com/ptinstall/
Hope this helps,
Wendell
When I try to add the mac-addresses as a maxium of 2 it does not let me enter two mac addresses. I have to raise the max to 3 to enter the mac address. Why does this happen?
Hi Rob,
I am wondering if you bumped into a Packet Tracer bug/feature. I’ll take a look in a few days – teaching for the next few. In the mean time, on a hunch:
First shutdown the port (that is, get into config mode, then interface mode, and issue the “shutdown” command.
Then configure port security.
Then issue a “no shutdown” command.
I’m wondering if the switch is learning the attached PC’s MAC, and then PT is not letting you configure the 3rd MAC address.
More in a few days.
Hi Mr Wendell,
I think using protect (or restrict, despite nothing was told about syslog and SNMP messages) violation police would better achieve the requirements of the stem of allowing PC2 and PC3 traffic while disallowing traffic from other sources. Cause with the default port-security violation mode (shutdown), in case of other traffic, a security violation wil occur and Fa0/1 port will be put in err-disable state and will not allow traffic from PC2 and PC3 as the requirement. Thats why I’ve included the sucommand
swicthpor pot-security violation protect
to your answer. Do I thinking right or I missing the point?
Thank you for your time,
Mauricio.
Hi Mauricio,
Thanks for the note.
I agree with your logic and configuration.
The lab, as worded, is at best silent in guiding us to a decision about the port security violation mode. Without any specific direction, your logic makes sense.
My goal with the labs, given that we can discuss such things here, is to give you all a chance to explore and think. As long as you understand the options for violation mode, and know them better now as a result, then the lab did its job. (Clearly, you understand the topic well from your question.)
I’ll give some thought to whether I want to be more specific in lab or leave the lab without those directions, so that others can learn from the same sort of analysis you went through. Thoughts?
Wendell
Hi Mr. Wendell,
Your labs are very interesting and I learn a lot with them. Sometimes I have a different interpretation of the question, that causes me diverting from the final answer. In those cases is very important to have your comments. It helps me be confident about may understanding or correct my interpretation.Thank you for your explanations, I appreciate a lot.
Regards,
Mauricio
Hello,
I hope all is well.
Thank you for your efforts, one sort of issue I wanted to ask the lab require to only allow the PCs hence the command switchport port-security maximum 2 however, should it not be 3 since we need to allow for the mac address of sw4 fa0/1? Or when we enabled switport port-security it already added it in?
Hi Jared,
Yeah, I think I’d agree, if I’m understanding your question. As drawn, the LAN to the right of SW3 leaves some ambiguity. If there is a switch SW4 there, it will likely send some overhead frames, like STP/RSTP, CDP, and LLDP, so SW3’s F0/1 port will learn SW4’s interface MAC address. So yes, 3 would be more appropriate in that case.
Wendell