Completed
Day 4 Lab2
═══════════════════════════════════════════════════════════════════
RESTRICTED DISTRIBUTION — DICDP PROGRAM PARTICIPANTS ONLY
═══════════════════════════════════════════════════════════════════ ═══════════════════════════════════════════════════════════════════
RED IRISH GLOBAL SERVICES
Defense Information Capacity Development Program (DICDP)
Communications and Information Systems (CIS) Track — Foundation Level
Foundation Networking Course | Day 03 Exercise 2 — Port Security
Document ID: DICDP-CIS-FNC-D03-SUP1-EX2-v1.2
Issued: [date]
Controlled by: Program Director, DICDP, Red Irish Global Services
Redirect requests: ops@redirish.global
Distribution: RESTRICTED — Program participants only
═══════════════════════════════════════════════════════════════════
Restricted Distribution Statement
This material is the intellectual property of Red Irish Global Services. Distribution is authorized only to participants enrolled in the Defense Information Capacity Development Program (DICDP). Reproduction, transmission, posting to public networks or social media, sharing with non-participants, or use as the basis for derivative training materials, in whole or in part, requires prior written authorization from Red Irish Global Services. Other requests shall be referred to: ops@redirish.global
Exercise 2 — Port Security: Locking a Port to One Device
Document ID: DICDP-CIS-FNC-D03-SUP1-EX2-v1.2 Document Version: v1.2
This exercise picks up exactly where the Day 3 Command Reference (Exercise 1) left off. You already have SW-ACCESS-01 built — hostname set, passwords set, SSH working, VLANs created, ports assigned. Everything in this exercise builds on that switch. If you have not completed Exercise 1 yet, do that first.
Before You Start — What Problem Are We Solving?
Right now, Fa0/1 on SW-ACCESS-01 is an access port in VLAN 10. It will accept any device that gets plugged into it. Walk into the room, find an open Ethernet jack, plug in a laptop — the switch lets it on the network. It does not check who you are or what device you are. It just forwards whatever it sees.
That is a problem. In this exercise you will lock Fa0/1 so that only PC1's network card is allowed to use it. If anything else gets plugged into that port, the switch will notice and shut the port down automatically.
This is called port security, and it works by watching the MAC address of whatever is connected.
Quick reminder — what is a MAC address? Every network card has a unique hardware address burned in at the factory, called a MAC address. It looks like 0001.42AB.33C4. Unlike an IP address, it never changes and is not something a user can easily reassign. This makes it a reliable way for a switch to recognize "this is the same device I saw before" — which is exactly what port security uses it for.
Part 1 — See the MAC Address Before You Lock Anything
Before you configure anything, look at what the switch already knows. PC1 has been connected and pinging through this topology since Exercise 1, so the switch has already learned its MAC address automatically — this happens with zero configuration, just by a device being plugged in and sending traffic.
On SW-ACCESS-01, in Privileged EXEC mode (the # prompt, not (config)#):
SW-ACCESS-01# show mac address-table
Expected output:
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0001.42aa.1111 DYNAMIC Fa0/1
10 00d0.587d.2222 DYNAMIC Fa0/2
99 0090.2b33.3333 DYNAMIC Fa0/3
Read this left to right: VLAN, then the MAC address the switch saw, then how it learned it (DYNAMIC means the switch learned it on its own — nobody typed it in), then which port it came in on.
Find the row for Fa0/1. That MAC address belongs to PC1. Write it down — you will need it to confirm later that port security locked onto the right device.
You can also ask for just one port instead of the whole table:
SW-ACCESS-01# show mac address-table interface fastethernet 0/1
This is the command you will use most often in real life — when you only care about what one specific port has learned.
This step matters because it is exactly what a real network administrator does before locking a port: look first, then lock. You do not guess a MAC address and type it in. You let the switch tell you what is already there, and then you turn that into a permanent, locked entry.
Part 2 — Configure Port Security on Fa0/1
Now lock the port using sticky learning. This tells the switch: "Whatever MAC address you already learned on this port — or the next one you see — write it down permanently and never accept a different one."
On SW-ACCESS-01:
SW-ACCESS-01# configure terminal
SW-ACCESS-01(config)# interface fastethernet 0/1
SW-ACCESS-01(config-if)# switchport port-security
SW-ACCESS-01(config-if)# switchport port-security maximum 1
SW-ACCESS-01(config-if)# switchport port-security mac-address sticky
SW-ACCESS-01(config-if)# switchport port-security violation shutdown
SW-ACCESS-01(config-if)# exit
SW-ACCESS-01(config)# end
SW-ACCESS-01#
%SYS-5-CONFIG_I: Configured from console by console
SW-ACCESS-01# copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Command | What it does, in plain words |
|---|---|
switchport port-security | Turns port security on for this port. This must be the first port-security command — every other port-security command needs this one already in place. |
switchport port-security maximum 1 | Allows exactly one MAC address on this port. PC1 only — nothing else. |
switchport port-security mac-address sticky | Takes whatever MAC address the port has already learned (or the next one it sees) and saves it as a permanent entry. This is how you avoid having to type the MAC address in by hand. |
switchport port-security violation shutdown | If a second, different MAC address ever shows up on this port, shut the port down completely. This is the strictest option — there are gentler ones, covered in the note below. |
end | Leaves configuration mode entirely and returns to Privileged EXEC. |
copy running-config startup-config | Saves the configuration permanently. Do not skip this. If the switch loses power or is reloaded before this step, all the port security commands you just typed are gone and Fa0/1 goes back to accepting any device. |
About that %SYS-5-CONFIG_I line: this appears automatically the moment you leave configuration mode with end — it is not part of copy running-config startup-config and it does not mean anything was saved. It is just IOS noting that a change was made from the console. The real save confirmation is the [OK] that appears later, after copy running-config startup-config. Don't mistake the %SYS-5-CONFIG_I line for a save success or failure message — it would appear here even if you never saved at all.
Important — port security only works on access ports. The port must already be in access mode (switchport mode access) before any of this works, which Fa0/1 already is from Exercise 1.
The three violation modes, briefly: shutdown (used here) disables the port entirely until an administrator fixes it — strictest. restrict drops the unauthorized traffic but keeps the port up and just counts the violation. protect does the same as restrict but does not even log it. For a beginner exercise, shutdown is used because it gives the clearest, most obvious result to observe.
Part 3 — Confirm the Lock Took Effect
SW-ACCESS-01# show port-security interface fastethernet 0/1
Expected output:
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0001.42aa.1111:10
Security Violation Count : 0
Check three things:
Port Status: Secure-up — the port is locked and working normally.
Sticky MAC Addresses: 1 — exactly one address was learned and saved.
Last Source Address — this should match the MAC address you wrote down in Part 1. If it does, the switch locked onto PC1, exactly as intended.
You can also confirm the address was written into the actual configuration, not just held in memory:
SW-ACCESS-01# show running-config interface fastethernet 0/1
You will see a line like switchport port-security mac-address sticky 0001.42aa.1111 — the switch wrote PC1's MAC address into the config by itself. You never typed it.
🛑 STOP — confirm this before continuing. If Sticky MAC Addresses shows 0, port security is on but has not learned anything yet — make sure PC1 sent at least one ping or packet through the port since you enabled sticky learning, then check again.
Part 4 — Prove It Works: Swap the Cable
This is the real test. So far you have only looked at text on a screen. Now you will physically demonstrate that the lock does what it claims.
What you are about to do: unplug PC1 from Fa0/1, and plug a different device into Fa0/1 instead. Because that device has a different MAC address, the switch should refuse it and shut the port down — automatically, with no command from you.
Step 1 — Add a third PC to the topology (if it is not already there). Name it PC3-ROGUE. Give it any IP address in the 192.168.10.0/24 range, for example 192.168.10.30 / 255.255.255.0. Do not connect it to anything yet.
Step 2 — In Packet Tracer, click the cable currently running between PC1 and Fa0/1 and delete it. PC1 is now disconnected.
Step 3 — Connect PC3-ROGUE to Fa0/1 using a straight-through copper cable — the same port PC1 used to occupy.
Watch the port light on the switch in Packet Tracer. It will flash, then very quickly turn from green to red. That red light is your first visible sign that something just got blocked.
Step 4 — Go back to the SW-ACCESS-01 CLI. Without you typing anything, the switch will have already printed messages like this on its own:
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 00e0.8f9a.4444 on port FastEthernet0/1.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
This is normal and expected — this is the port security feature working exactly as designed. The MAC address shown is PC3-ROGUE's address, not PC1's, which is why it was rejected.
Part 5 — Confirm the Port Is Shut Down
SW-ACCESS-01# show port-security interface fastethernet 0/1
Expected output now:
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
...
Security Violation Count : 1
Two changes from Part 3: Port Status changed from Secure-up to Secure-shutdown, and Security Violation Count went from 0 to 1.
Now try to prove the port is really dead. On PC3-ROGUE, open the command prompt and try:
ping 192.168.10.20
Expected result: it fails completely — not slow, not partial, completely unreachable. Fa0/1 is administratively shut down by the switch itself. No traffic moves in either direction until an administrator fixes it.
One more way to see this, switch-wide: show interfaces status err-disabled lists every port currently disabled because of a security violation — useful in real life when you manage dozens of ports and need to quickly find which ones are down and why.
SW-ACCESS-01# show interfaces status err-disabled Port Name Status Reason
Fa0/1 err-disabled psecure-violation
Part 6 — Recovery: Bringing the Port Back
A port in err-disabled state will not come back on its own just by plugging the right device back in. An administrator has to clear it manually.
Step 1 — Reconnect PC1. Unplug PC3-ROGUE from Fa0/1 and plug PC1's original cable back in.
Step 2 — Manually bounce the interface:
SW-ACCESS-01# configure terminal
SW-ACCESS-01(config)# interface fastethernet 0/1
SW-ACCESS-01(config-if)# shutdown
SW-ACCESS-01(config-if)# no shutdown
SW-ACCESS-01(config-if)# exit
Why both commands? no shutdown by itself is not enough to clear an err-disabled state — the interface needs to be told to go down first, then come back up, before the switch will re-evaluate it. This is one of the most common mistakes at this stage: typing only no shutdown and then wondering why the port is still dead.
Step 3 — Confirm recovery:
SW-ACCESS-01# show port-security interface fastethernet 0/1
Port Status should read Secure-up again. Ping from PC1 to PC2 to fully confirm the port is passing traffic normally.
In a real environment with many ports, administrators do not want to manually bounce every violated port by hand. There is a way to make this happen automatically after a timer instead:
SW-ACCESS-01(config)# errdisable recovery cause psecure-violation
SW-ACCESS-01(config)# errdisable recovery interval 300
This tells the switch to automatically retry any port disabled by a port-security violation every 300 seconds (5 minutes). This is mentioned here for awareness only — manual recovery is what you are expected to demonstrate in this exercise.
⚠️ Packet Tracer note: this command is inconsistent across Packet Tracer versions and switch models — on some builds it is accepted and works, on others it is rejected outright or does not actually trigger recovery. If it doesn't work on your image, that is a known Packet Tracer limitation, not something you did wrong. Don't spend time troubleshooting it — manual recovery (shutdown / no shutdown, used in Part 6) is the reliable method and is what you will be tested on.
What You Just Proved
Before | After |
|---|---|
Fa0/1 accepted any device | Fa0/1 accepts only PC1's MAC address |
No record of what was supposed to be there | Sticky-learned MAC written into the config automatically |
An attacker could plug in anywhere | An attacker plugging into Fa0/1 gets the port shut down within seconds |
OSI layer check: Port security operates at Layer 2 — it inspects the source MAC address in the Ethernet frame header, not anything inside the IP packet or above. This is why it works identically no matter what protocol or application is running on top — it never even looks that far up the stack.
🔑 TRAINER ANSWER KEY
Common mistakes to watch for:
Forgetting switchport port-security first. Every other port-security subcommand silently fails or errors if this base command was not entered first. If students report "nothing happened," this is almost always the cause — have them check with show port-security interface fa0/1 and confirm Port Security: Enabled appears at all.
Typing only no shutdown during recovery. Without shutdown first, the port stays in err-disabled. Watch for students re-running just no shutdown repeatedly and getting confused.
Forgetting the port must be in access mode first. If a student's port is still in default dynamic auto/desirable mode, switchport port-security will be rejected outright with an error. This should not occur here since Fa0/1 was already set to access mode in Exercise 1, but flag it if a student is working on a fresh port.
Not generating any traffic before checking sticky learning. Sticky learning only captures a MAC address once the switch has actually seen a frame from it. If a student enables sticky learning on a port where the device has been idle, Sticky MAC Addresses will show 0 until the next ping or packet.
Confusing "port shut down" with "port unplugged." Some students assume the red light means the cable is bad. Reinforce: the cable and device are fine — the switch is the one refusing to forward traffic.
errdisable recovery not working for some students. This command is genuinely inconsistent across Packet Tracer versions and switch images — some classroom machines will accept it, others will reject it or accept it without actually recovering the port. This is a known Packet Tracer limitation, not a student error. Don't let this consume class time — redirect immediately to manual recovery (Part 6), which is reliable on every PT build and is the method students are assessed on.
One concept that must land before moving on: port security identifies devices by MAC address, not by what port they happen to be plugged into or what they're trying to do. A device is either the one MAC address the port has locked onto, or it is rejected — there is no other test applied. This is also its limitation, which is worth raising even at this beginner level: a clever attacker can fake (spoof) a MAC address. Port security is one layer of defense, not a complete answer — this gets revisited in more depth on Day 4.
Coming up next: trunk ports — how multiple VLANs travel across a single link between switches, and how trunk ports are deliberately exempted from this kind of single-MAC lock because they are expected to carry traffic from many devices at once.
Document History
Version | Date | Changes |
|---|---|---|
v1.0 | [date] | Initial creation. Beginner-level walkthrough exercise following the Day 3 Command Reference. Covers: viewing the MAC address table before configuration (show mac address-table), configuring port security with sticky learning and shutdown violation mode, verifying the lock via show port-security interface, a hands-on cable-swap simulation in Packet Tracer to trigger a real violation, reading the unsolicited IOS log messages that appear during a violation, confirming the port is truly down via a failed ping, manual err-disabled recovery (shutdown / no shutdown), a brief mention of automatic errdisable recovery, OSI layer framing (Layer 2), and a trainer answer key with common mistakes and the one concept that must land before the next exercise. |
v1.1 | [date] | Validation pass. Added a Packet Tracer compatibility caveat to the errdisable recovery callout box — this command is confirmed inconsistent across Packet Tracer versions and switch images (works on some builds, rejected or non-functional on others), per multiple independent reports. Added a matching trainer note in the answer key instructing instructors to redirect students straight to manual recovery (Part 6) if errdisable recovery doesn't behave as expected, rather than treating it as a student error. All other technical content validated accurate: prerequisite command ordering, sticky learning behavior, violation modes, IOS log message sequence, show port-security interface field names, and the manual shutdown/no shutdown recovery requirement were all confirmed correct against current documentation. |
v1.2 | [date] | Part 2 configuration block was missing end and the save step entirely. The exercise had students configure port security and then just exit back to global config mode — the configuration was never saved, meaning it would be lost on any switch reboot. Added end, the real %SYS-5-CONFIG_I: Configured from console by console message that IOS prints automatically on leaving config mode, and copy running-config startup-config with its [OK] confirmation. Added a command table row for both end and the save command, plus a callout explicitly warning students not to skip the save and clarifying that %SYS-5-CONFIG_I is not a save confirmation — it appears regardless of whether the configuration is ever saved. This matches the same fix already applied to Step 11 of the Day 3 Command Reference (Exercise 1), so both documents are now consistent on this point. |
UNCLASSIFIED // FOR TRAINING PURPOSES ONLY
DAY 3 EXERCISE 2 — PORT SECURITY // FCN
DICDP-CIS-FNC-D03-SUP1-EX2-v1.2 | Issued: [date]
FNC_Day_03_Supp1_PT_Ex2_v3.md ═══════════════════════════════════════════════════════════════════
RESTRICTED DISTRIBUTION — DICDP PROGRAM PARTICIPANTS ONLY
═══════════════════════════════════════════════════════════════════
There are no comments for now.