Packet Tracer - Implement Port Security

Packet Tracer implement port security: a step‑by‑step guide that shows how to secure switch ports, configure MAC address limits, set violation actions, and verify the settings in Cisco Packet Tracer. This article walks you through the concepts, practical configuration steps, and troubleshooting tips so you can protect your simulated network from unauthorized devices.

Understanding Port Security in Cisco Packet Tracer

What is Port Security?

Port security is a Layer 2 feature that restricts the MAC addresses allowed on a switch port. By limiting the number of MAC addresses or specifying which addresses are permitted, you prevent unknown devices from connecting and mitigate MAC‑ flooding attacks. In Packet Tracer, you can enable and test port security exactly as you would on a real Cisco device.

Why Use Port Security?

• Control access – Only authorized devices can use a port.
• Prevent MAC‑ flooding – Limits the number of MAC addresses learned.
• Define violation behavior – Choose to shut down the port, block the offending MAC, or restrict it to a single address.
• Facilitate learning – The sticky feature can automatically add legitimate MAC addresses to the running configuration.

Step‑by‑Step Implementation

1. Prepare the Simulation Environment

1. Drag a Switch (e.g., 2960) onto the workspace.
2. Connect end‑devices (PCs or servers) to the switch’s FastEthernet ports.
3. Ensure the devices obtain IP addresses via DHCP or static assignment; they will be used to generate traffic.

2. Enable Port Security on a Target Port

1. Enter global configuration mode:

   configure terminal
   

2. Select the specific interface, for example FastEthernet0/1:

   interface fastethernet 0/1
   

3. Turn on port security:

   switchport port-security
   

4. Set the maximum number of MAC addresses allowed (e.g., 2):

   switchport port-security maximum 2
   

5. Choose a violation mode. Common options are shutdown, protect, or restrict. For a clear reaction, use shutdown:

   switchport port-security violation shutdown
   

6. (Optional) Enable sticky learning so that legitimate MAC addresses are saved automatically:

   switchport port-security sticky
   

3. Verify the Configuration

1. Exit to privileged EXEC mode and display the interface summary:

   show interfaces switchport
   

2. Check the security status:

   show port-security interface fastethernet 0/1
   

   The output will show the current Violation mode, Maximum MAC addresses, and the Secure MAC addresses list.

4. Test the Security Mechanism

1. Connect a second PC to the same switch port (or use the Reconnect feature).
2. Power on the new device; it will receive a different MAC address.
3. Observe the behavior based on the violation mode:
   • shutdown – The port status changes to err‑disable; the LED turns off.
   • protect – The packet is dropped but the port remains up.
   • restrict – The packet is dropped and a log entry is generated.

5. Expand to Multiple Ports

• Repeat steps 2‑4 for each port you wish to secure.
• Use the copy command to duplicate configurations across similar ports, saving time in larger topologies.

Scientific Explanation of How Port Security Works

When a switch port is configured for port security, the device performs MAC address learning only up to the specified limit. Each incoming frame is inspected for its source MAC address. If the address is unknown and the learned MAC count has not been reached, the address is added to the secure MAC table. If the limit is exceeded, the configured violation action is triggered:

• shutdown – The port is placed into an err‑disable state, effectively cutting off all traffic. This is the safest default because it isolates the offending device immediately.
• protect – Frames with unknown source MACs are dropped, but the port stays up, allowing other traffic to continue.
• restrict – Similar to protect, but a log message is generated, useful for troubleshooting.

The sticky feature stores dynamically learned MAC addresses in the running configuration, enabling the switch to retain legitimate devices without manual re‑entry after a reload. Underlying this process is the CAM (Content Addressable Memory) table, which maps MAC addresses to switch ports. Port security interacts directly with the CAM to enforce the MAC limit and violation policy.

Frequently Asked Questions (FAQ)

Q1: Can I set different security levels on adjacent ports?
Yes. Each interface can have its own security parameters. Configure each port independently to match the security requirements of the connected device.

Q2: What happens if I exceed the maximum MAC addresses but use the protect violation mode?
The switch will drop frames from the unauthorized MAC address while keeping the port up. No shutdown occurs, but the offending device loses connectivity until it releases the MAC address or the limit is reset.

Q3: Is sticky learning recommended for production networks?
In real environments, sticky is useful for automating configuration but should be combined with a proper security policy. In Packet Tracer, it simplifies demonstration by automatically saving legitimate MAC addresses.

**Q4: How do

Q4: How do I verify and troubleshoot port‑security settings on a Cisco switch?
To confirm that port security is functioning as intended, use the following show commands:

• show port‑security interface <interface> – Displays the current violation mode, maximum allowed MAC addresses, number of secured addresses, and the last violation source MAC. - show port‑security address – Lists all secure MAC addresses learned on the switch, indicating whether each entry is static, sticky, or dynamic.
• show port‑security – Provides a summary of all interfaces with port security enabled, useful for spotting mis‑configurations across multiple ports.
• show errdisable recovery – If a port has entered the err‑disable state (shutdown mode), this command shows the recovery timer and reason for the error‑disable condition.

When troubleshooting, clear the violation counters with clear port‑security sticky or clear port‑security dynamic as needed, and then re‑test traffic from the suspected device. If the port repeatedly err‑disables, verify that the connected device is not spoofing MAC addresses or that the maximum MAC limit is set appropriately for the expected number of devices (e.g., a phone plus a PC on the same port).

Q5: Can port security be combined with other Layer 2 features such as voice VLAN or 802.1X?
Yes. Port security operates independently of voice VLAN assignments and 802.1X authentication. A common deployment is to configure a port for both voice VLAN (to carry IP‑phone traffic) and port security with a limit of two MAC addresses—one for the phone and one for the attached PC. When 802.1X is enabled, the switch first authenticates the supplicant; only after successful authentication does port security begin learning MAC addresses, ensuring that only authorized devices can secure MAC slots.

Q6: How does MAC address aging work with port security, and when should I adjust it?
Secure MAC addresses can be configured with an aging timer using the switchport port-security aging time <seconds> command. Two aging types are available:

• Absolute – The address is removed after the fixed time elapses, regardless of activity.
• Inactivity – The address is removed only if no frames with that source MAC are seen during the interval.

Adjust aging when you expect legitimate devices to change frequently (e.g., in a lab or hot‑desk environment) to prevent stale entries from consuming the MAC limit. In stable production environments, disabling aging (no switchport port-security aging time) or using a long absolute timer helps maintain consistent security bindings.

Conclusion

Port security is a fundamental hardening technique that limits the number of MAC addresses a switch port can learn and enforces a defined response when that limit is exceeded. By carefully selecting the violation mode (shutdown, protect, or restrict), employing sticky learning where appropriate, and verifying configurations with the appropriate show commands, network administrators can effectively mitigate MAC‑spoofing attacks and unauthorized device connections. Combining port security with complementary features such as voice VLAN, 802.1X, and proper MAC‑address aging creates a layered defense that adapts to both static and dynamic office environments. Regularly reviewing the port‑security table and adjusting limits to match the legitimate device count ensures the switch remains both secure and operationally efficient.