Config Lab: Basic Port Security 2

 In 200-301 V2 Ch06: Port Security, 200-301 V2 Part 2: Security Services, 200-301 V2 Parts, Config Lab, Config Lab CCNA Vol 2 Part 2, Hands-on

Quick, can you name all the small options available with Cisco’s port security feature on Catalyst IOS images? Most of us can’t, unless we’re in the middle of studying for CCENT, CCNA, or CCNP R&S SWITCH. But this blog is meant to help you prepare for a couple of those, so here’s another chance to review and recall those options with another basic port security lab.

All about Config Labs

The blog has a series of lab exercises called “Config Labs.” Each lab presents a topology with the relevant initial configuration for each device. The lab also lists new requirements, after which you should create the additional configuration to meet those requirements. You can do the lab on paper, in a text editor, or use software tools like Cisco Packet Tracer or Cisco Modeling Labs.

Once you have created your answer, you can click various tabs at the bottom of this post to see the lab answers, comments about the lab, and other helpful information.

The Lab Exercise


You need to configure port security on some access ports on a Catalyst switch. You do know that only one device should connect to each switch port. However, you do not know the MAC address of each device.

Your job in this lab: enable port security on the requested ports, allowing one and only one device to send traffic through the port. Also cause the switch to learn the first MAC that sends traffic, and remember that MAC address for the long term.

The specific rules for this lab are:

  • Enable port security on all displayed access interfaces in the figure
  • Configure port security so that all valid learned MAC address will be automatically converted to secure MAC addresses
  • Allow only one MAC address to send frames into the port
  • Use default settings where possible, and do not configure any settings that are not required
  • As an added bonus, consider how to configure any interface subcommands two different ways: any interface commands per-interface, or one time for all interfaces

Figure 1: Single Switch


Initial Configuration

While you might be able to configure port security based on the information supplied so far, the initial configurations of the switch might be helpful, as shown in Figure 1.

hostname SW1
interface FastEthernet0/1
 no shutdown
interface FastEthernet0/2
 no shutdown 
interface FastEthernet0/3
 no shutdown
interface FastEthernet0/4
 no shutdown

Example 1: SW1 Config

Answer Options - Click Tabs to Reveal

You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!

To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.

You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.

(Use this link for more information about Cisco Packet Tracer.)

Use this workflow to do the labs in Cisco Packet Tracer:

  1. Download the .pkt file linked below.
  2. Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
  3. Add your planned configuration to the lab.
  4. Test the configuration using some of the suggestions below.

Download this lab’s Packet Tracer File

You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.

If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:

  1. Download the CML file (filetype .yaml) linked below.
  2. Import the lab’s CML file into CML and then start the lab.
  3. Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
  4. Add your planned configuration to the lab.
  5. Test the configuration using some of the suggestions below.

Download this lab’s CML file!


Network Device Info:

This table lists the interfaces used in the lab exercise documentation that differ from those used in the sample CML file.

Device Lab Port  CML Port
SW1 F0/1 G0/1
SW1 F0/2 G0/2
SW1 F0/3 G0/3
SW1 F0/4 G1/0

Lab Answers Below: Spoiler Alert

Lab Answers: Configuration (Click Tab to Reveal)


interface FastEthernet0/1
  switchport mode access
  switchport port-security
  switchport port-security mac-address sticky
interface FastEthernet0/2
  switchport mode access
  switchport port-security
  switchport port-security mac-address sticky
interface FastEthernet0/3
  switchport mode access
  switchport port-security
  switchport port-security mac-address sticky
interface FastEthernet0/4
  switchport mode access
  switchport port-security
  switchport port-security mac-address sticky

Example 2: SW1 Config with Port Security Added

Commentary, Issues, and Verification Tips (Click Tabs to Reveal)


Often the configuration of port security does not need to be overly complex. As long as a few basic points about a port security implementation are known, these include:

  • Port Security is disabled by default
  • Once enabled, each port is allowed only a single MAC address by default
  • The default violation mode is to shutdown the port resulting in a port in the err-disabled state
  • A violation occurs if a frame is received from a MAC address not in its secure MAC address table
  • The port security feature is not supported on dynamic mode ports

Another configuration option of the port security feature is to automatically convert dynamically learned MAC addresses to static secure MAC addresses. So what does this mean? Normally when an address is learned it will be counted against the secure MAC address limit (remember the default is 1) but this MAC address will not be placed into the configuration – it’s just in an internal table used by the port security feature. Should the switch be rebooted, the MAC address linked to the interface will be reset to the first one it sees traffic from. The alternative to this is to statically configure the MAC addresses of every attached interface; this is a time consuming task that is not feasible for most administrators; the alternative is to use sticky learning.

When using sticky learning the interface will listen for a device (or devices) on an interface. The first MAC address that is seen on the interface will be placed into the running configuration as a statically configured secure MAC address (this also works for multiple MAC addresses should the maximum be increased from its default of 1). All the administrator needs to do is wait for all the expected devices to send traffic and be seen by the switch. Once this is done then the only task left is to save the configuration.

Following the configuration in order:

  • The switchport mode access command changes the port from its default dynamic status to statically be an access port.
  • The switchport port-security command enables port security with all defaults.
  • The switchport port-security sticky command tells port security to record into the running-config any learned MAC addresses that are legal (in other words, those that are not considered violations).
  • The relevant defaults are: 1 MAC address per port.

Finally, you could have configure the three subcommands as shown in Example 3, using the interface range command, to save some typing.


SW1# configure terminal
SW1(config)# interface range FastEthernet0/1 - 4
SW1(config-if)# switchport mode access
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security mac-address sticky
SW1(config-if)# end

Example 3: Using the interface range Command to Save Typing

Known Issues in this Lab

This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:

# Summary Detail
1 None No known issues related to this lab.


Why Would Cisco Packet Tracer Have Issues?

(Note: The below text is the same in every Config Lab.)

Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.

CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.

Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps. 

  1. On the hosts, confirm the IP address and MAC address settings match the figure as supplied in the lab.
  2. Predict which ports will be disabled by port security once the PCs generate traffic.
  3. Test by using the ping command on the PCs to attempt to ping each other.
  4. From the switch, use commands like show port-securityshow port-security interface, and show port-security address to confirm whether port security worked as expected.

More Labs with Related Content!

Config Lab: Basic Port Security 1
Config Lab: Basic Port Security 3
Notify of

Newest Most Voted
Inline Feedbacks
View all comments

Hello Wendell,

Please a question. My understanding from reading the CCNA study guide is that a port configured for port security can dynamically learn mac addresses either by using the sticky option in the configuration command or just simply enabling port security on the port. My question then is this: What is the difference between the two dynamic options and when do you use one and not the other?
Also the lab requires that the switch remember the dynamically learned mac address for a long time. My thought process is that as worded in this question, none of the config options convered in this topic meets this requirement. I say this because using sticky option saves the mac in running config file which is temporary. The admin will still require another step of saving the config file to start up file to accomplish this requirement.

Last edited 4 months ago by Tewa
Would love your thoughts, please comment.x