- Cisco proprietary feature that limits and identifies MAC addresses allowed to access a switchport
- Prevents unauthorized devices from connecting by controlling which MAC addresses can send frames through specific ports
- Static security (manually configured MACs) vs Dynamic learning (switch learns allowed MACs automatically)
- Maximum secure addresses per port ranges from 1-8192 (default is 1)
How Port Security Works
- Switch maintains a secure MAC address table separate from normal CAM table
- When frame arrives, switch checks source MAC against secure address list
- If MAC not in secure list and max addresses reached, security violation occurs
- Secure addresses can be learned dynamically, configured statically, or combination of both
- Aging timer removes dynamically learned addresses after specified time (default disabled)
|
|
Security Violation Actions
| Action | Description | Port Status | Logging | Traffic Handling |
|---|---|---|---|---|
| Protect | Drops violating frames silently | Remains up | No SNMP/syslog | Legitimate traffic continues |
| Restrict | Drops violating frames with notification | Remains up | Yes SNMP/syslog | Legitimate traffic continues |
| Shutdown | Disables port (err-disabled state) | Goes down | Yes SNMP/syslog | All traffic stopped |
- Shutdown is default action - most secure but requires manual intervention
- Protect mode useful when you want silent security (no alerts to potential attackers)
- Restrict mode provides security with monitoring capabilities
Configuration Commands
|
|
- Must configure port as access or trunk first - port security doesn’t work on dynamic ports
stickylearning converts dynamically learned MACs to static configuration- Use
show port-security interface <interface>to verify configuration and status
Practical Use Cases
- End-user access ports: Prevent users from connecting unauthorized devices (hubs, switches, wireless APs)
- Server connections: Ensure only specific server NICs can connect to designated ports
- IP phone + PC combinations: Set maximum to 2 for Cisco IP phones with PC pass-through
- Guest network isolation: Limit guest ports to single device connections
Recovery from Violations
- Shutdown violations: Port enters err-disabled state, requires
shutdownthenno shutdownto recover - Automatic recovery: Configure
errdisable recovery cause psecure-violationwith timer - Clear secure addresses: Use
clear port-security {all | configured | dynamic | sticky} - Check violation counters with
show port-securitybefore clearing
Vocabulary
- Secure MAC Address: MAC address authorized to send frames through a port-security enabled port
- Sticky Learning: Feature that converts dynamically learned MAC addresses into static configuration
- Security Violation: Event when unauthorized MAC tries to access port or max addresses exceeded
- Err-disabled: Port state where interface is administratively shut down due to security violation
- Aging: Process of removing old secure MAC addresses based on time or inactivity
Notes
- Port security only works on access and trunk ports - not on dynamic/auto ports
- Maximum addresses include both statically configured and dynamically learned MACs
- Sticky addresses are saved in running-config and survive reloads (unlike pure dynamic learning)
- Voice VLANs complicate port security - phone MAC goes to voice VLAN, PC MAC to data VLAN
- Use
switchport port-security aging type inactivityfor better resource management in dynamic environments - Security violations increment even in protect mode - useful for monitoring attempted breaches
- Port security and 802.1X can work together but require careful planning for authentication order
- Consider using restrict mode in production to maintain connectivity while logging security events