Objectives
| # | Objective |
|---|
| 1 | Enable port security on SW1 Gi0/0 โ set MAC limit to 1, violation mode shutdown, verify with show port-security |
| 2 | Configure sticky learning โ let the switch learn and lock the first MAC it sees |
| 3 | Trigger and recover from a port security violation โ understand err-disabled and the recovery process |
| 4 | Use CDP to discover directly connected neighbours โ identify device type, IP, and platform |
| 5 | Use LLDP to discover neighbours โ compare output with CDP, disable CDP for security reasons |
| 6 | Open the Port Security Violation Simulator โ step through all three violation modes side by side |
| 7 | Knowledge check โ port security, CDP, LLDP and security implications |
Key Concepts
| Concept | What it means |
|---|
| Port Security | Restricts which MAC addresses can send frames on a port. Limits the number of MACs allowed and defines what happens when an unauthorised MAC is detected. |
| Violation: Protect | Silently drops frames from unauthorised MACs. No log, no alert. Legitimate traffic continues. Violation counter increments. |
| Violation: Restrict | Drops frames from unauthorised MACs AND sends a syslog message + SNMP trap. Counter increments. Port stays up. |
| Violation: Shutdown | Immediately err-disables the entire port. All traffic stops. Syslog alert sent. Requires manual recovery with shutdown/no shutdown. |
| Sticky learning | switchport port-security mac-address sticky โ the switch dynamically learns the first MAC(s) and saves them as if statically configured. On save, the learned MACs survive a reboot. |
| CDP | Cisco Discovery Protocol โ Layer 2 Cisco proprietary. Sends multicast advertisements every 60s. Reveals: device type, hostname, IP address, IOS version, platform. Security risk โ disable on untrusted ports. |
| LLDP | Link Layer Discovery Protocol โ IEEE 802.1AB open standard. Works across vendors. Sends advertisements, reveals similar info to CDP. Often preferred in multi-vendor environments. |
Topology
| Port | Connected To | Port Security |
|---|
| SW1 Gi0/0 | PC1 (legitimate) | Port Security: MAC limit 1, shutdown |
| SW1 Gi0/1 | PC2 (legitimate) | Sticky learning |
| SW1 Gi0/2 | SW2 (neighbour) | CDP & LLDP discovery |
Key Commands
| Command | Purpose |
|---|
| switchport mode access | Port security requires access mode (not dynamic) |
| switchport port-security | Enable port security on the interface |
| switchport port-security maximum 1 | Allow only 1 MAC address |
| switchport port-security violation shutdown | Set violation mode to shutdown |
| switchport port-security mac-address sticky | Enable sticky MAC learning |
| show port-security | Overview of all secured ports |
| show port-security interface Gi0/0 | Detailed port security status for one port |
| show port-security address | All learned/configured secure MACs |
| show cdp neighbors | CDP neighbour table โ hostname, port, platform |
| show cdp neighbors detail | Full CDP info including IP addresses |
| show lldp neighbors | LLDP neighbour table |
| no cdp run | Disable CDP globally (security hardening) |
| lldp run | Enable LLDP globally (disabled by default) |
After configuring port security and triggering a violation, click ๐ Violation Simulator to step through all three violation modes โ Protect, Restrict, and Shutdown โ with live syslog output and show port-security output for each.
Port security requires the port to be in access mode. Running switchport port-security on a dynamic or trunk port will fail. Always run switchport mode access first.