Config Lab: Basic Port Security 3

 In 200-301 V2 Ch06: Port Security, 200-301 V2 Part 2: Security Services, 200-301 V2 Parts, Config Lab, Config Lab CCNA Vol 2 Part 2, Hands-on

Sometimes, #CCNA studiers get bogged down with port security, focusing on all those little optional configuration settings. But what of the main feature: securing the port? This latest lab revisits the big ideas of what a switch does using port security when frame violate the rules.

All about Config Labs

The blog has a series of lab exercises called “Config Labs.” Each lab presents a topology with the relevant initial configuration for each device. The lab also lists new requirements, after which you should create the additional configuration to meet those requirements. You can do the lab on paper, in a text editor, or use software tools like Cisco Packet Tracer or Cisco Modeling Labs.

Once you have created your answer, you can click various tabs at the bottom of this post to see the lab answers, comments about the lab, and other helpful information.

The Lab Exercise


For this lab, configure port security, with very little in terms of requirements. However, do not stop processing the good traffic that enters those ports. In particular, use these rules:

  • Enable port security on all displayed access interfaces in the figure
  • Drop all violating traffic
  • Do not drop non-violating traffic
  • Do not attempt to send SNMP traps for violating traffic
  • Use default settings where possible and do not configure any settings that are not required
  • As an added bonus, consider how to configure any interface subcommands two different ways: any interface commands per-interface, or one time for all interfaces

Figure 1: Single Switch

 Initial Configuration

While you might be able to configure port security based on the information supplied so far, the initial configurations of the switch might be helpful, as shown in Figure 1.

hostname SW1
interface GigabitEthernet0/1
 no shutdown
interface GigabitEthernet0/2
 no shutdown

Example 1: SW1 Config

Answer Options - Click Tabs to Reveal

You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!

To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.

You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.

(Use this link for more information about Cisco Packet Tracer.)

Use this workflow to do the labs in Cisco Packet Tracer:

  1. Download the .pkt file linked below.
  2. Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
  3. Add your planned configuration to the lab.
  4. Test the configuration using some of the suggestions below.

Download this lab’s Packet Tracer File

You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.

If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:

  1. Download the CML file (filetype .yaml) linked below.
  2. Import the lab’s CML file into CML and then start the lab.
  3. Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
  4. Add your planned configuration to the lab.
  5. Test the configuration using some of the suggestions below.

Download this lab’s CML file!


Network Device Info:

The CML topology matches the lab topology

Lab Answers Below: Spoiler Alert

Lab Answers: Configuration (Click Tab to Reveal)


interface GigabitEthernet0/1
  switchport mode access
  switchport port-security
  switchport port-security violation protect
interface GigabitEthernet0/2
  switchport mode access
  switchport port-security
  switchport port-security violation protect

Example 2: SW1 Config Answers

Commentary, Issues, and Verification Tips (Click Tabs to Reveal)


Often the configuration of port security does not need to be overly complex. As long as a few basic points about a port security implementation are known, including:

  • Port security is disabled by default
  • Once enabled, each port is only allowed a single MAC address by default
  • The default violation mode is to shutdown the port resulting in a port in the err-disabled state
  • A violation occurs if a frame is received from a MAC address not in its secure MAC address table
  • The port security feature is not supported on dynamic mode ports

There are three different violation modes that are configurable with the port security feature: shutdown, restrict, and protect.

Shutdown: The shutdown violation mode is the default and will automatically disable a port and place it into an err-disabled state should a violation occur.

Restrict: The restrict violation mode will drop all offending traffic (from MAC addresses that are not configured and over the maximum MAC count configured) AND increment the security violation counter AND send a violation message (via SNMP). Restrict mode does not, however, move the port to an err-disabled state, which means that non-violating traffic still works.

Protect: The protect violation mode will drop all offending traffic but NOT increment the security violation counter or send SNMP traps for violations.


Following the configuration in order:

  • The switchport mode access command changes the port from its default dynamic status to statically be an access port.
  • The switchport port-security command enables port security with all defaults.
  • The switchport port-security violation protect command tells port security to change from the default shutdown mode to instead use protect mode.
  • The relevant defaults are: 1 MAC address per port, which is the first learned MAC on the port.

Finally, you could have configure the three subcommands as shown in Example 3, using the interface range command, to save some typing.

SW1# configure terminal
SW1(config)# interface range GigabitEthernet0/1 - 2
SW1(config-if)# switchport mode access
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security violation protect
SW1(config-if)# end

Example 3: Using the interface range Command to Save Typing

Known Issues in this Lab

This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:

# Summary Detail
1 None No known issues related to this lab.


Why Would Cisco Packet Tracer Have Issues?

(Note: The below text is the same in every Config Lab.)

Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.

CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.

Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps. 

As written, this lab makes it difficult to break the port security rules and trigger a port security violation. If you would like to test the lab, you would need to expand your design as follows:

  1. On switch ports G0/1 and G0/2, add a new LAN switch to the design. Move the existing PCs to connect to the new switches, respectively.
  2. Add another PC to each new switch, and configure an IP address in the same subnet in each case.
  3. At this point, you have a design in which frames from two PCs can enter switch SW1’s port G0/1, and likewise for SW1’s port G0/2, just by pinging. Use pings whose traffic must flow through SW1 to cause two PCs to attempt to send frames into SW1, therefore breaking the maximum of two MAC addresses allowed on a port per your lab configuration.
  4. From the switch, use commands like show port-securityshow port-security interface, and show port-security address to confirm whether port security worked as expected.

More Labs with Related Content!

Config Lab: Basic Port Security 2
Config Lab: Basic Port Security 4
Notify of

Newest Most Voted
Inline Feedbacks
View all comments

In this example the two mac-address doesn’t need to be static added with switchport port-security mac-adress _address_ ?


Hi Elton,
Well, I wrote the words in the lab, and I re-read them. I think the lab, as written, is silent about it: It doesn’t say to predefine the MAC addresses and it doesn’t say to assume the correct ones will be learned. So, I’d say it’s up to you – as long as you understand the differences between the offered answer (without pre-defining the addresses) vs predefining the addresses, I think we’ve done what the lab is here for.
In real life, yes, if you know the MACs beforehand, it would be better to configure them. It’s also less likely to know many of the MACs beforehand, unless you trust the MAC table, which may have entries from attackers when you check it… 🙂 round and round we go.

Would love your thoughts, please comment.x