Port security is a layer two traffic control feature on Cisco Catalyst switches. . It enables an administrator configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. Its primary use is to deter the addition by users of “dumb” switches to illegally extend the network .Port security can also be configured locally and has no mechanism for controlling port security in a centralized fashion for distributed switches. Port security is normally configured on ports that connect servers or fixed devices, because the likelihood of the MAC address changing on that port is low. By restricting the port to accept only the MAC address of the authorized device, we prevent unauthorised access if somebody plugged another device into the port. If one wants to ensure that only a certain device—for example, a server—is plugged into a particular switch port, you can configure the MAC address of the server as a static entry associated with the switch port.

Configuring the Port Security feature is relatively easy.Simply, port security requires going to an already enabled switch port and entering the port-security Interface Mode command.

Port security can’t be applied to a Layer 3 port , hence first , one needs to convert the Switch port to layer 2 by issuing following command on the specific port –

E.g. –

SW1(config)# interface Fa0/1

SW1(config-if)# switchport

Now that we have made the port configured as Layer 2 and part of Vlan, let’s see what options are seen while enabling port security –


SW1(config-if)# switchport port-security ?

aging                  = Port-security aging commands

mac-address   = Secure mac address

maximum        = Max secure addresses

violation           = Security violation mode


As in above statement, “mac-address” specifies the MAC address that is allowed to access the network resources manually by using the command

E.g. –

SW1(config-if)# switchport port-security mac-address 0a-b0-ba-11-22-33

Additionally, in case each switch needs to be manually configured with mac address of connected device, the activity will take hours to complete. Cisco has a way to achieve this condition by configuring the switch to learn the MAC address dynamically using the “switchport port-security mac-address sticky” command.


One can specify how many MAC addresses the switch can have on one interface at a time. The command to configure this is as follows, “switchport port-security maximum N” (where N can be from 1 to 6272).Also, let’s be aware that the number of maximum MAC address depends on the hardware and Cisco IOS in use.


By using above keyword , adminsitator can define the action to take when a violation occurs on that interface or interfaces. The default is to shut down the interface or interfaces. The command to configure this is as follows “switch port-security violation { protect | restrict | shutdown }”

Protect which discards the traffic but keeps the port up and does not send a SNMP message.

Restrict which discards the traffic and sends a SNMP message but keeps the port up

Shutdown which discards the traffic sends a SNMP message and disables the port. (This is the default behavior is no setting is specified.)

Related- Cisco Catalyst 9400 vs 9500

Related Posts

About The Author

Add Comment

Social Media Auto Publish Powered By :
Select your currency
INR Indian rupee