switchport port-security
Enables port security on a switch interface to restrict input to a limited number of MAC addresses, preventing unauthorized devices from accessing the network.
switchport port-securityWhen to Use This Command
- Securing an access port in a corporate office to allow only the employee's PC and IP phone.
- Preventing rogue devices from connecting to a switch port in a public area like a lobby.
- Limiting the number of MAC addresses on a port to mitigate MAC flooding attacks.
- Enforcing security policies in a data center where only specific servers are allowed on certain ports.
Command Examples
Enable port security with default settings
Switch(config-if)# switchport port-securitySwitch(config-if)#
No output indicates the command was accepted. Default settings: maximum MAC addresses = 1, violation mode = shutdown, aging disabled.
Configure port security with specific parameters
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address stickySwitch(config-if)#
Sets maximum MAC addresses to 2, violation mode to restrict (drops traffic from unknown MACs but does not shut the port), and enables sticky learning to dynamically learn and save MAC addresses.
Understanding the Output
The command itself produces no output. To verify port security, use 'show port-security interface <interface>'. Key fields: Port Security (Enabled/Disabled), Port Status (Secure-up, Secure-down, Shutdown), Violation Mode (Shutdown, Restrict, Protect), Maximum MAC Addresses (configured limit), Current MAC Addresses (number learned), Security Violation Count (number of violations). A good state shows Port Status as Secure-up and violation count at 0. A bad state shows Port Status as Shutdown or Secure-down with high violation count, indicating an attack or misconfiguration.
CCNA Exam Tips
CCNA exam tip: Port security is disabled by default; you must enable it with 'switchport port-security' after setting the interface as an access port.
CCNA exam tip: The default violation mode is 'shutdown', which err-disables the port. You must manually re-enable it with 'shutdown' then 'no shutdown'.
CCNA exam tip: Sticky MAC addresses are added to the running config and can be saved; they are not automatically added to the startup config unless you copy run start.
CCNA exam tip: The 'maximum' command sets the maximum number of secure MAC addresses; the default is 1.
Common Mistakes
Mistake 1: Forgetting to set the interface as an access port with 'switchport mode access' before enabling port security, causing the command to be rejected.
Mistake 2: Setting the maximum too low, causing legitimate devices to be blocked and triggering violations.
Mistake 3: Using violation mode 'protect' without understanding that it silently drops traffic without logging, making troubleshooting difficult.
Related Commands
show port-security
Displays the port security configuration and status on switch interfaces, used to verify and troubleshoot port security settings.
show port-security interface [intf]
Displays port security configuration and status for a specific interface, including secure MAC addresses, violation counts, and action taken.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions