Lab 16: Port Security with Sticky MACs
Lock access ports to their legitimate device: sticky MAC learning + shutdown on violation. Then play attacker — swap in a rogue PC and watch the port die; then recover it like a pro. Difficulty: Intermediate · Time: ~30 min.
Lab objectives
- Enable port security with maximum 1 sticky MAC
- Trigger a violation with a different PC
- Diagnose err-disabled state
- Recover the port properly
Topology & addressing
1× 2960 switch, 1× legit PC on Fa0/1, 1× "intruder" PC on standby. Fa0/1 as access port in VLAN 10.
Step-by-step configuration
interface fa0/1switchport mode accessswitchport port-security | Enable the feature (access mode required) |
switchport port-security maximum 1switchport port-security mac-address sticky | One device only; learn it automatically |
switchport port-security violation shutdown | Violation = err-disable (the default, made explicit) |
Verification
Legit PC pings fine and its MAC appears in show port-security address. Swap cables to the intruder PC → port LED dies; show port-security interface fa0/1 shows Secure-shutdown, violation count 1. Recover: reconnect the right PC, then shutdown / no shutdown. Save config to keep sticky MACs.
Next lab: labs hub · test yourself: CCNA practice test.
Frequently asked questions
What does sticky actually do?
The switch learns the connected device's MAC dynamically and writes it into the running config as a secure address — no manual typing.
Why did the whole port go down instead of just blocking the intruder?
Violation mode shutdown err-disables the port — the strictest, default response. protect/restrict drop the offender's frames but keep the port up.
Do sticky MACs survive a reboot?
Only if you save the configuration — they live in running-config until copied to startup-config.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.