Configuring Port Security in Cisco Switch IOS

Configuring Port Security in Cisco Switch IOS

- in Enterprise Infrastructure
  • This feature controls the number of MAC addresses per port.
  • The maximum number of MAC addresses per port can be configured (default is 1).
  • The MAC addresses can be configured on each port as follows:
    • Static: By entering the MAC addresses.
    • Dynamic: The interface learns the MAC addresses until the maximum allowed value is reached. The sticky command can be added so that they are added to the configuration file.
  • There are several violation methods:
    • shutdown: The interface is changed to errdisable (Default).
    • Restrict: Packets from MAC addresses exceeding the maximum number are not processed. An SNMP and Syslog message is sent. 
    • Protect: Packets from MAC addresses exceeding the maximum number are not processed, but no SNMP and Syslog messages are sent.

Enable port-security on the port:

Switch(config-if)# switchport port-security

Specify the maximum number of MAC addresses that can be learned per port:

Switch(config-if)# switchport port-security maximum max-addr

To make the learned addresses persistent during a switch reboot, you can enable sticky MAC address learning with the following command:

Switch(config-if)# switchport port-security mac-address sticky

Define a static MAC address:

Switch(config-if)# switchport port-security mac-address mac-addr

Define how each interface using port-security should react if a MAC address violates port-security:

Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}


Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# switchport port-seecurity mac-address sticky
Switch(config-if)# switchport port-seecurity violation restrict

Verification commands:

Switch# show port-security
Switch# show port-security interface fa0/1
Switch# show interface status err-disabled

To remove err-disabled status is necessary to shut down and restart the interface (shut/no shut).

Facebook Comments

You may also like

How-to Install SSH Server on Linux 

1.- Install with apt-get command on Ubuntu: sudo