Basic Port Security

By Wendell August 18, 2015 09:05

Cisco’s Port Security feature just happens to be one of those switch features that can confuse people until they’ve configured and tested it a few times. One challenge comes from the fact that you can enable port security with one command on an interface (switchport port-security), with many default settings, but then you can also re-configure a variety of other settings. Understanding each setting, and remembering them all (and when to use each) poses a challenge.

In this post, you’ll get to enable port security with some basic features, just to get more exercise with choosing which options to leave as defaults, and which to configure.


Your job: configure port security on SW3 so that both devices off port F0/3 can send data through the switch, but that no other devices can send data through SW3’s F0/3 port. To begin the lab, all switches work, all interfaces shown are up an working, and none of the switches have been configured with port security.

The specific rules for this lab are as follows:

  1. Allow traffic from PC3 and PC4 into SW3’s F0/0 port, but disallow traffic from other sources
  2. Pre-define all MAC addresses for port security
  3. All other port security settings unnecessary to the above should be left as defaults
  4. If choosing a numeric parameter, and many values would work, choose the smallest number that would work.

On that last point about choosing numbers, in case it is unclear, consider this example. If a number could be set to a value between 1 and 1000, pick 1. That way, your answer will likely look more like my answer.

Figure 1: Switch Triangle


Initial Configuration

While you might be able to configure port security based on the information supplied so far, the initial configurations of the three switches can also be helpful. Example 1, 2 and 3 show the beginning configuration state of SW1, SW2 and SW3.


Example 1: SW1 Config

Example 2: SW2 Config


Example 3: SW3 Config


Answer on Paper, and Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure it there.

If you do attempt this lab on a real OS, you can test by setting your hosts to use the same MAC addresses shown in the figure, seeing them work, and then setting the MAC addresses to different values, and hopefully seeing port security filtering the traffic.


Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!

Compared to the lab diagram shown earlier in this lab, for this lab to work in VIRL, we added the unmanaged switch to allow for multiple hosts to connect to interface G0/3 of switch SW3.

To test your results, you can connect PC5 to the unmanaged switch. Then login to PC5 and attempt to ping PC1. This should cause a port security violation.


Network Device Info:

This table lists the interfaces changed in this lab to work well in VIRL.

Device Lab Port VIRL Port
SW1 F0/0 G0/3
SW2 F0/0 G0/3
SW3 F0/0 G0/3


Host device info:

This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.

Device IP Address Mac Address User/password
PC1 02:00:00:00:11:11 cisco/cisco
PC2 02:00:00:00:22:22 cisco/cisco
PC3 02:00:00:00:33:33 cisco/cisco
PC4 02:00:00:00:44:44 cisco/cisco
PC5 02:00:00:00:55:55 cisco/cisco


Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4

Trace example: traceroute

To connect to another node within the topology: telnet


Answers: Basic VLANs
Answers: Basic Port Security
By Wendell August 18, 2015 09:05
Write a comment


  1. Travis August 18, 21:45

    I ran it on a 2950 but I didn’t have any hosts to very it on.

    SW3#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    SW3(config)#int fa0/3
    SW3(config-if)#no shutdown
    SW3(config-if)#switchport port-security maximum 2
    SW3(config-if)#switchport port-security mac-address 0200.0000.3333
    SW3(config-if)#switchport port-security mac-address 0200.0000.4444

    Reply to this comment
    • certskills August 19, 05:53

      Thanks for the post. And on your “no hosts” comment…

      If you have a router or two, use those. use the “mac-address” interface subcommand on the router to set the router’s MAC to whatever you want. It’s a great convenient way to test sending frames with different MAC addresses.

      Reply to this comment
  2. Mike August 18, 22:38

    ! per the diagram, PC3 and PC4 are off switch3’s fa0/0 interface
    sw3(config)# int fa0/0
    sw3(config-if)# no shutdown
    sw3(config-if)# switchport mode access
    sw3(config-if)# switchport port-security
    sw3(config-if)# switchport port-security maximum 2
    sw3(config-if)# switchport port-security mac-address 0200.0000.3333
    sw3(config-if)# switchport port-security mac-address 0200.0000.4444
    sw3(config-if)# switchport port-security violation restrict
    ! Rather than have the port go into (default) violation shutdown mode
    ! and stop passing traffic, we can choose violation mode restrict.
    ! We could instead use violation mode of protect
    ! if we didn’t want the violation counter to increment
    sw3(config-if)# end

    Reply to this comment
  3. rob42 October 30, 14:11


    First off, thanks for these labs; I’m putting in to practice what I’ve learned from your books: ICND1 100-101 & ICND2 200-101.

    I’m quite new to this, having only been studying for my CCNA for the past 13 weeks or so, part time.

    I’m reproducing these labs with CPT 7, but I’m confused by this layout.

    PC3 & PC4 seem to both be connected to SW3-Fa0/0, which is fine as I can simply use a HUB between the PCs and SW3, right?

    Also I can sub your Fa0/0 ports for Fa0/1 in my lab as the 2960-24TTs in CPT 7 don’t have Fa0/0.

    But, you say…
    “Your job: configure port security on SW3 so that both devices off port F0/3 can send data through the switch, but that no other devices can send data through SW3’s F0/3 port.”

    But, we don’t have any PCs connected to SW3-F0/3. What is it that I’m missing please?

    With thanks.


    Reply to this comment
    • certskills November 2, 10:09

      Hi Rob,
      Perfect set of questions. Let me answer directly:

      Yes, that funny drawing on the lower right, think of it as a hub. It’s meant to look like 10Base2, but that’s even less fair to assume you’d make that mental connection. 🙂

      Yes, if you want to try any of this in real gear, PT, etc etc, feel free to just use port numbers that match what you can create there.

      On your last question, imagine a PC5 on that same hub. That is, configure port security so that if any other future device was connected, it would not be allowed to send frames into the network.

      I think that covered it. Thanks!

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.