A: A Port Security Question

 In 200-301 V2 Ch06: Port Security, 200-301 V2 Part 2: Security Services, CCENT-OLD, Q&A

You know the drill. Check this earlier port security question, and then come back here to check your answer and logic. The answer is below the fold. Enjoy!

Letter Answers:

B, C, D



To answer this question, you can think about port security from two perspectives:

  • What settings need to be configured?
  • Are any of those settings also default settings, and therefore do not need to be set?

Basically, you need to think about the correct configuration, but because the question also specifically asks that you not add any commands that configures a default setting, you have to filter out any of commands that simple set the same value as a default.

First, consider these defaults that affect enabling port security:

Port Security is disabled on each port by default

Negotiation occurs as to whether the port becomes an access port or trunk port

If access: by default, the port is in VLAN 1

If trunk: by default, all VLANs are supported on the trunk

To enable port security, the port must not be allowed to negotiate its status as either ran access or trunk port. Either access or trunk mode is allowed, but it must be statically configured. Then, port security can be enabled on the port using the switchport port-security interface subcommand.

Once port security is enabled, port security has many other defaults:

A maximum of 1 MAC address can send frames into the port

No specific MAC address is predefined

The violation mode is shutdown

Sticky address learning is not used

Two of these defaults match the requirements in the question. First, the violation mode – the action the switch takes when a violation occurs – defaults to shut down the port. The defaults also allow frames from only a single MAC address. So, you do not need to configure these settings.

The only non-default port security setting is to define host A’s MAC address to the switch, so the switch will allow frames from host A. That is, allow frames whose source MAC address is host A’s MAC of 0200.AAAA.AAAA.

The following example shows the configuration steps, in this case making the port an access port:


SW1#configure terminal
SW1(config)#interface FastEthernet0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security mac-address 0200.AAAA.AAAA


Note that you could have used the switchport port-security mac-address sticky command (answer E) in a real network. However, the question stated that no other devices should be allowed to send frames, and within the confines of this question, depending on when this command was issued compared to when an attacker sends a frame into this switch port, this command allows the possibility of allowing frames sent by a host other than host A. However, if the question had allowed for the engineer to configure this command, and then make sure that host A’s MAC address was learned by the switch’s port security sticky MAC function, then this answer would also have been correct.


Housekeeping Notice: No Config Labs for this Book Part
Q: Which ARP and Where
Notify of

Newest Most Voted
Inline Feedbacks
View all comments

Thank you very much for the detailed response. Looking forward to your next challenge.


I have a quick question, what happens if we enable port security with maximum of one mac address, but do not actually configure any mac address, either sticky or manually?


Actually, just to add to that, I just tested the above-mentioned scenario and it rejected the attached host straight away. Does this result make sense?


In my opinion B and C answers only are correct as I think that the MAC doesn’t need to be configured manually by default. But if you don’t use “sticky” or static MAC, the port will delete PC’s MAC from the table after reload or after some time of inactivity (for example PC is shutdown for a while) and someone else can use that port by another PC. The question is a bit tricky because it says strictly only commands that need to be written. Although in real life I would choose static MAC as well (answer D) or “sticky”.


Auone, When you enable port security with default options (max 1, no sticky, dynamic, violation shutdown), it means that you can connect and send frames to that port from only 1 device(any device, but only 1 ), and if you unplug it and put another device instead, the allowed MAC addr will be dynamically changed.

Now, lets imagine that you plug in another switch called SW2 to that port, everything would be ok because it doesn’t violate the maximim. Until the point when you decide to connect a host to SW2, then there would be 2 MAC addresses sending frames to the secured port, which violates the “maximum 1 mac” rule. So, the port would be put in an err-disabled state.

I just tested this using cisco packet tracer, and after each plug/unplug I used “show port-security interface ” to check the detailed status change step by step.
I hope this helps!

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Would love your thoughts, please comment.x