Back to Command Reference
Interface ConfigDomain 5.0 / 7.0

switchport port-security

Locks down a Layer 2 access port by restricting inbound traffic to a specific, limited number of MAC addresses. If an unauthorized MAC address attempts to send a frame through the port, the switch triggers a configurable security violation.

Quick Reference

Execution ModeSwitch(config-if)#
Strict Prerequisiteswitchport mode access
Default MAC Maximum1
Default Violation ActionShutdown (Err-Disable)

Syntax & Violation Modes

switchport port-security [mac-address | maximum | violation]

Executing the base switchport port-security command with no arguments turns the feature on using the defaults (Max: 1 MAC, Violation: Shutdown). You must then use the parameter keywords to customize its behavior.

The Three Violation Modes

  • violation shutdown (Default)Instantly kills the port, placing it into an err-disabled state. It generates an SNMP trap and a syslog message. The administrator must manually bounce the port to recover it.
  • violation restrictLeaves the port operational but drops all traffic from the unauthorized MAC. It does generate a syslog message and increments the security violation counter so administrators know an attack occurred.
  • violation protectLeaves the port operational and drops unauthorized traffic, but it does not generate a syslog message or increment the counter. It silently discards the frames.

CLI Deployment Scenarios

Scenario 1: The "Sticky" MAC Lockdown

You want to lock down a lobby port to whoever plugs in first. Instead of manually typing their MAC address, you tell the switch to dynamically learn it and write it permanently into the running-config.

Switch(config)# interface FastEthernet0/10
! Step 1: You MUST force the port into access mode first.
Switch(config-if)# switchport mode access
! Step 2: Turn on the master port-security engine.
Switch(config-if)# switchport port-security
! Step 3: Enable sticky learning.
Switch(config-if)# switchport port-security mac-address sticky
! If a second PC plugs in, the port will immediately err-disable.

Scenario 2: The VoIP Phone Exception

A user has a Cisco IP phone on their desk, and their PC plugs into the phone. Because there are two devices sharing one physical switchport, you must increase the maximum MAC count.

Switch(config)# interface GigabitEthernet1/0/5
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation restrict

CCNA Exam Gotchas

[!]

Dynamic Auto Rejection

If you type switchport port-security on a brand-new, unconfigured Cisco switchport, the command will be rejected. This is because switchports default to dynamic auto (DTP negotiation). Port Security cannot run on dynamic ports. You must establish it as an access port or a trunk port first.

[!]

Sticky MACs and the Copy Run Start

When you use the sticky keyword, the switch learns the MAC address and injects it into the running-config. If the switch loses power, that MAC address is wiped out. To make a sticky MAC permanent, you must execute copy running-config startup-config after the switch has learned the address.