In today’s interconnected business environments, network security is more critical than ever. One of the simplest yet most effective protections you can apply at the access layer of your network is Port Security.
On Cisco switches, Port Security restricts input to an interface by limiting and identifying MAC addresses of the devices that can connect. This helps prevent unauthorized devices from plugging into your network and accessing sensitive resources.
This article walks you through what port security is, why it matters, and how to configure it step by step.
What Is Port Security on Cisco Switches?
Port Security is a feature that allows administrators to:
- Restrict a port to specific MAC addresses
- Limit the number of devices that can connect to a port
- Decide what happens when a violation occurs (e.g., block the port, drop traffic, or alert administrators)
It is particularly useful for access layer ports that connect end-user devices, such as PCs, printers, or IP phones.
Key Benefits of Port Security
- Prevents unauthorized access by rejecting devices not on the trusted MAC list
- Mitigates MAC flooding attacks, which can overwhelm switch CAM tables
- Improves visibility and control over devices connecting to your network
- Enforces network policy at the edge
Port Security Concepts
Before diving into configuration, it’s important to understand the key terms:
- Secure MAC Address: A MAC address allowed on a port
- Maximum Addresses: The number of MAC addresses permitted per port
- Violation Modes: Determines the switch’s response to an unauthorized device
Violation Modes:
- Protect – Drops traffic from unauthorized MAC addresses (no alert)
- Restrict – Drops unauthorized traffic and generates a log/alert
- Shutdown – Puts the port into error-disabled state (default mode)
Step-by-Step: Configuring Port Security
Here’s how to configure port security on a Cisco switch.
Step 1: Enter Interface Configuration Mode
Switch> enable
Switch# configure terminal
Switch(config)# interface fastEthernet 0/1
Step 2: Enable Port Security
Port security works only on access ports, not trunk ports.
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Step 3: Set the Maximum Number of MAC Addresses
Switch(config-if)# switchport port-security maximum 2
This example allows only 2 devices on the port.
Step 4: Configure Allowed MAC Addresses
Option A: Statically Configure a MAC Address
Switch(config-if)# switchport port-security mac-address 0011.2233.4455
Option B: Sticky Learning (Dynamic to Static)
Switch(config-if)# switchport port-security mac-address sticky
Sticky mode learns MAC addresses dynamically and saves them as if they were manually configured.
Step 5: Configure Violation Action
Switch(config-if)# switchport port-security violation restrict
Options are:
protectrestrictshutdown(default)
Step 6: Verify Configuration
Switch# show port-security interface fastEthernet 0/1
This displays allowed addresses, violation mode, and current status.
Example: Full Configuration
Here’s a complete configuration for port FastEthernet 0/1:
Switch> enable
Switch# configure terminal
Switch(config)# interface fastEthernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# end
Switch# write memory
This configuration:
- Allows up to 2 MAC addresses
- Learns and saves them automatically
- Restricts unauthorized devices and logs violations
Troubleshooting Port Security
- Port goes into err-disabled mode:
- The violation mode is likely set to
shutdown. Use:Switch(config-if)# shutdown Switch(config-if)# no shutdown
- The violation mode is likely set to
- Check logs for violations:
Switch# show log - Reset port security counters:
Switch# clear port-security all
Best Practices
- Apply port security only on end-user access ports
- Use sticky learning for environments with dynamic devices (e.g., laptops)
- Set reasonable maximum MAC addresses (usually 1 for desktops, 2 for VoIP phones + PC)
- Use
restrictmode instead ofshutdownin high-availability environments to avoid accidental downtime - Monitor and log violations for auditing
Conclusion
Port security is a simple yet powerful way to secure Cisco switches at the access layer. By limiting the number of devices and controlling which MAC addresses can connect, you reduce risks from unauthorized access and attacks.
With the steps above, you can confidently configure port security, enforce network policy, and protect your organization from common security threats.
