Switching and VLANsNetwork securityIntermediate45 min read

What Is Port security in Networking?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Port security is a feature on network switches that controls which devices are allowed to connect to a specific switch port. It works by limiting access based on the unique hardware address (MAC address) of a device. If an unauthorized device tries to connect, the switch can either block it, alert the network admin, or even disable the port entirely. This helps keep the local network safe from unwanted connections.

Common Commands & Configuration

switchport port-security maximum 3

Sets the maximum number of secure MAC addresses allowed on the port to 3. The port will learn up to 3 MAC addresses dynamically or statically. Any traffic from a 4th MAC will trigger a violation.

CCNA and Security+ frequently ask what the default maximum is (1) and how to increase it. This command tests understanding of the limit parameter.

switchport port-security violation shutdown

Configures the port security violation mode to shutdown. This is the default mode. When a violation occurs, the port is immediately errdisabled and will not forward traffic until manually re-enabled or automatically recovered.

Exams often require recall that shutdown is the default violation mode. They may also ask which mode causes errdisable.

switchport port-security mac-address 0050.7966.6800

Statically configures a specific MAC address as allowed on the port. This is used to pre-authorize devices without relying on dynamic learning. The MAC format is typically xx:xx:xx:xx:xx:xx or xxxx.xxxx.xxxx.

Questions may test the difference between static and dynamic secure MAC addresses. Static MACs survive a reload without needing sticky.

switchport port-security mac-address sticky

Enables sticky MAC learning on the port. The switch will dynamically learn MAC addresses and then convert them into secure MAC entries in the running configuration. After a reload, the switch will use the stored sticky entries.

Common exam scenario: Sticky MACs need to be saved to startup config to persist across reboots. This command tests that concept.

clear port-security sticky

Clears all sticky MAC addresses from the port security table. This command removes the dynamically learned sticky entries but does not remove them from the running configuration. To fully remove, also use 'no switchport port-security mac-address sticky <mac>'.

Exams may ask what happens to sticky entries after a reboot if not saved, or how to clear them manually.

errdisable recovery cause psecure-violation

Globally enables automatic recovery for interfaces that were errdisabled due to port security violation. The default recovery interval is 300 seconds. Use 'errdisable recovery interval 120' to change the timer.

This feature is often misconfigured. Exams test whether you know that errdisable recovery is disabled by default and that it must be specifically enabled for 'psecure-violation'.

show port-security interface gigabitethernet0/1

Displays the port security configuration and status for a specific interface. Shows the maximum MAC count, current count, violation count, violation mode, and action. Useful for troubleshooting.

Exams often ask which command to use to verify port security status. This is the primary verification command.

no switchport port-security

Disables port security on the interface. All secure MAC addresses are removed from the secure table. The port will then accept traffic from any source MAC address.

Simple but important: disabling port security removes all restrictions. Questions may ask what happens to existing secure MAC addresses when this command is executed.

Port security appears directly in 33exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →

Must Know for Exams

Port security is a recurring exam topic across multiple IT certifications, though its emphasis varies. For the CCNA exam (Cisco Certified Network Associate), port security is a mandatory configuration objective under the Network Access domain. Candidates must know the commands to enable it, set the maximum number of MAC addresses, configure violation modes, and verify the configuration with show commands. CCNA scenario-based questions often present a network with unauthorized devices and ask the candidate to pick the correct port security configuration to block them. Troubleshooting questions might show a port in err-disabled state and require identifying that a port security violation occurred.

For CompTIA Security+, port security appears in the Architecture and Design domain under network segmentation and access controls. Candidates need to understand the concept, know the three violation modes, and recognize port security as a Layer 2 control that prevents MAC flooding and unauthorized connections. Exam questions may ask which security control prevents a rogue device from connecting to a switch port, with options like 802.1X, VLAN, port security, or ACLs. Port security is the correct answer.

In the CompTIA CySA+ exam, port security is a supporting concept for network monitoring and incident response. Analysts might be expected to interpret log entries showing port violations and correlate them with other events. The CISSP exam covers port security lightly within the Communication and Network Security domain, but it is not a primary objective. However, understanding MAC-based access controls is relevant for general security architecture.

For Microsoft certifications like MD-102 and MS-102, port security is a background concept. These exams focus on endpoint management and identity, but questions might reference network controls that affect device enrollment or connectivity. The SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) includes basic understanding of network security controls but does not look at port security configuration.

The AWS SAA exam does not test port security directly, as it is not relevant to cloud networking. However, understanding the concept helps with network security fundamentals. The AZ-104 (Azure Administrator) exam is similarly focused on cloud networks, but a light understanding of Layer 2 security is beneficial when designing hybrid network architectures.

Question types for port security typically include: multiple-choice conceptual questions (What does port security do?), scenario-based configuration tasks (Which command prevents unauthorized devices on Gi0/1?), and troubleshooting (Why is a port in err-disabled state?). In the CCNA exam, candidates may be expected to order steps in a configuration sequence or interpret show command output to determine the violation status. Knowing the default state (disabled), default maximum MACs (1), default violation mode (shutdown on Cisco), and the difference between sticky and static learning is crucial.

A common exam trick involves a port security violation that shuts down a port, and the candidate must know how to recover it (shutdown followed by no shutdown or configure errdisable recovery). Another trap is assuming that port security prevents MAC spoofing, which it does not; it only restricts unknown MACs. Exam authors often exploit this nuance. Overall, port security is a high-yield topic for CCNA and Security+, so candidates should invest time in both configuration and conceptual understanding.

Simple Meaning

Imagine you live in a secure apartment building. The main entrance has a doorman who knows every resident by face and name. Only people whose faces are in his trusted list can enter. If someone he doesn’t recognize shows up, the doorman stops them, sounds an alarm, or even locks the door completely so nobody can get in or out until the manager checks. This is exactly how port security works on a network switch.

A network switch is like a central hub that connects computers, printers, and other devices within a local network. Each device has a unique identifier called a MAC address, which is like a fingerprint that never changes. Port security lets the switch remember the MAC address of the first device that plugs into a particular port, and then it refuses to let any other device use that same port. If you try to swap your computer with a friend’s laptop on that cable, the switch will notice that the new MAC address doesn’t match the one it saved, and it will block traffic, generate an alert, or shut down the port.

Think of it like a key card system in an office. Each employee gets a key card that opens only their assigned office door. If someone tries to use a stolen card or a cloned card, the door stays locked, and security gets a notification. Port security works exactly the same way, the MAC address is the key card, the switch port is the door, and the network policy is the security guard checking every entry.

This feature is especially useful in places like schools, libraries, or corporate offices where many people share the same network jacks. Without port security, anyone could plug a device into a wall socket and gain access to the network. With port security enabled, the network admin can define exactly which devices are trusted on each port. If a different device appears, the switch can take one of three actions: it can simply block the new device (protect mode), it can alert the admin but still allow traffic (restrict mode), or it can disable the port completely until an administrator re-enables it manually (shutdown mode).

Port security also helps prevent a common attack called MAC flooding, where an attacker sends many fake MAC addresses to overflow the switch’s memory table and force it into a hub-like mode. Once the switch behaves like a hub, the attacker can see all network traffic. By limiting the number of MAC addresses allowed per port, port security stops this attack cold.

In simple terms, port security is a digital bouncer for your network jacks. It checks the ID of every device that wants to connect, and if the ID is not on the guest list, it doesn’t get in. This keeps your network safe from strangers who might steal data, spread malware, or cause other mischief.

Full Technical Definition

Port security is a Layer 2 security feature implemented on managed Ethernet switches, defined under IEEE 802.1 standards and extended by vendor-specific implementations such as Cisco’s switchport port-security feature. Its primary function is to restrict ingress traffic by associating a limited set of authorized MAC addresses with each switch port. Once configured, the switch monitors all incoming frames on that port and compares the source MAC address against a secure address table. If a frame arrives with a source MAC address not in the table, the switch executes a preconfigured violation action.

The operational model is based on three configurable violation modes: protect, restrict, and shutdown. In protect mode, the switch drops packets from unauthorized MAC addresses but does not log the event or increment the violation counter. This mode is the least intrusive but provides no audit trail. In restrict mode, the switch drops unauthorized packets, increments the violation counter, and generates a syslog message and SNMP trap, giving the administrator visibility into the incident. In shutdown mode, the switch immediately err-disables the port, effectively taking it offline until it is manually re-enabled or automatically recovered via configuration (errdisable recovery). Shutdown mode is the most secure but can cause service disruptions if legitimate devices are changed without updating the secure address list.

Port security can operate using three methods for learning MAC addresses: static, dynamic, and sticky. Static MAC addresses are manually entered into the running configuration. Dynamic learning allows the switch to automatically learn the first N MAC addresses seen on the port and store them in the address table until the switch reloads. Sticky learning is a hybrid approach where the switch dynamically learns MAC addresses and then converts them into static entries in the running configuration, typically saved to the startup configuration. Sticky addresses survive a reload, providing persistent security without requiring manual entry of every MAC address.

The maximum number of secure MAC addresses per port is configurable, with a default value of 1 when port security is first enabled. This limit can be raised to accommodate devices such as IP phones (which require one MAC for the phone and another for the connected PC) or small hubs. A common best practice is to set the maximum to 2 on access ports supporting voice and data VLANs, using the voice VLAN feature.

Port security also integrates with other security mechanisms. When used with 802.1X authentication, port security provides a second layer of defense by limiting the number of devices that can authenticate and access the network through a single port. This is particularly useful in environments where a user might attach a switch or hub to gain extra ports.

From a standards perspective, port security is not a single IEEE standard but rather a collection of features based on IEEE 802.1D bridging and MAC learning principles. Cisco, Juniper, HP (Aruba), and other vendors implement variations with slightly different command syntax and capabilities. For example, Cisco uses the interface configuration commands switchport port-security, switchport port-security maximum, switchport port-security violation, and switchport port-security mac-address. By default, port security is disabled on all interfaces.

Operationally, port security can be verified using commands such as show port-security, show port-security interface, and show mac address-table secure. Administrators must also consider the aging of MAC addresses. The static aging option allows the switch to age out secure addresses that have been idle for a defined period, forcing re-learning if the device reconnects. This is useful in dynamic environments like guest networks.

A critical technical detail is that port security operates at Layer 2 and does not filter based on IP addresses, protocols, or application data. It is strictly a MAC-based access control mechanism. It is also vulnerable to MAC address spoofing, where an attacker captures the authorized MAC and configures their device to use it. To mitigate spoofing, port security is often combined with 802.1X and dynamic ARP inspection (DAI) in a comprehensive security posture.

In modern networks, port security is considered a fundamental first-line defense for campus and enterprise LANs. It is a core topic in the CCNA curriculum and appears in the Security+ objectives under network access controls. The feature is lightweight, requiring no additional hardware or licensing on most managed switches, making it a cost-effective security measure.

Real-Life Example

Think about a co-working space where desks have wired network jacks. Each desk is used by a different person every day. The office manager wants to make sure that only members who have paid for access can plug into the network. Without port security, anyone could walk in off the street, sit at an empty desk, plug in their laptop, and start accessing the internet or internal servers, potentially stealing data or launching attacks.

Now imagine that each desk jack is like a hotel room door that requires a specific key card to open. The hotel gives each guest a unique key card that only works with their assigned room. If someone tries to use a different card, the door stays locked and the front desk gets an alert. Port security works exactly like that for the network jacks. The network administrator configures each switch port to recognize only the MAC address of the member’s laptop. If an unauthorized device tries to connect, the switch blocks the traffic or shuts down the port entirely.

Here’s how it plays out in a real scenario. A company called TechHub rents desk space to freelancers. Freelancer Alice has a desk with a wired port. The IT team configures port security to allow only Alice’s laptop MAC address on that port. One day, Alice brings a friend who plugs into her port while she is at lunch. The switch sees the friend’s unknown MAC address, and because port security is in shutdown mode, the port is disabled. When Alice returns, she finds her internet is down. She calls IT, who checks logs, sees the violation, re-enables the port, and reminds Alice not to share her connection.

Another common real-life use is in college dorm rooms. Each room has one network port, but students often bring gaming consoles, smart TVs, and multiple laptops. Without port security, a student might plug in a cheap switch to share the connection with roommates, bypassing the college’s per-device authentication. Port security with a limit of one MAC address per port prevents this. If the student plugs in a switch, the switch’s own management MAC address will be learned, but any device behind it will be blocked because the port will see multiple MAC addresses exceeding the limit.

The analogy of a secure parking lot also fits. Each parking spot is assigned to a specific car license plate. If a car with a different plate parks there, a barrier arm lowers to trap the car and alerts security. The parking lot manager can either let the car go with a warning (restrict mode), lower the barrier (protect mode), or lock the entire lot gate (shutdown mode). Port security mirrors this, the port is the parking spot, the MAC address is the license plate, and the switch enforcement is the barrier arm.

In everyday terms, port security prevents network freeloading and protects against casual attacks. It is a simple but powerful way to enforce which device talks to the network through each cable, ensuring that only trusted hardware gets a seat at the digital table.

Why This Term Matters

Port security matters because it addresses a fundamental vulnerability in local area networks: the physical access port. In any wired network, a switch port is an open door to the internal network. Without port security, anyone who can physically plug a cable into a port can immediately gain Layer 2 connectivity, potentially bypassing firewalls, authentication portals, and other perimeter defenses. This is especially critical in environments like offices, schools, hospitals, and government buildings where physical security cannot always be guaranteed.

The practical impact of port security is significant for IT administrators. It drastically reduces the attack surface of a LAN by preventing unauthorized devices from connecting to the network. It also provides a clear audit trail of which device attempted to connect and on which port, enabling rapid incident response. For example, if an unknown laptop appears on a port in an empty conference room, the network logs will show the MAC address, the port number, and the time of the attempt. This data can be used to identify the device owner via DHCP logs or NAC integration.

Port security also supports compliance with security frameworks like PCI-DSS, HIPAA, and ISO 27001. Many of these standards require controls to limit network access to authorized devices. Implementing port security is a straightforward way to demonstrate compliance during an audit. It is also a low-cost solution that works on existing hardware, requiring no additional servers or licenses beyond a managed switch.

From a performance perspective, port security has minimal overhead because it leverages existing MAC learning processes. The switch already examines source MAC addresses for forwarding decisions; port security simply adds a lookup against an authorized list. There is no measurable latency or throughput degradation on modern switches.

Port security is not a silver bullet. It can be bypassed by MAC spoofing, and it does not protect against malicious insiders who have access to authorized devices. However, it remains a foundational security control that should be enabled on every access port in a security-conscious network. For certification candidates, understanding port security is essential for exams like CCNA, Security+, CySA+, and CISSP, all of which include network access control objectives.

How It Appears in Exam Questions

Port security questions typically fall into three categories: concept, configuration, and troubleshooting. In concept questions, the exam asks for the purpose or benefit of port security. For example, Which of the following is the primary benefit of port security? The correct answer is that it prevents unauthorized devices from connecting to a switch port. Distractors might include preventing VLAN hopping, securing wireless networks, or encrypting traffic.

Configuration questions present a scenario with an interface. A typical CCNA question might read: An administrator wants to allow only the PC with MAC address aaaa.bbbb.cccc on interface Gi0/1 and block all other devices. Which configuration is correct? The candidate must choose the sequence that includes switchport port-security, switchport port-security mac-address aaaa.bbbb.cccc, and switchport port-security violation shutdown. Another variation asks for the command to set the maximum MAC addresses to two, often with a voice VLAN context.

Troubleshooting questions show a show port-security interface output where the violation count is incremented, or the port is in err-disabled state. The question might ask: Based on the output, what is the most likely cause? The answer is a port security violation due to an unauthorized MAC address. The candidate may also be asked to propose a solution, such as removing the unknown device, re-enabling the port, or adding the MAC address to the secure list.

In Security+, questions tend to be multiple-choice: An organization wants to prevent employees from plugging personal devices into the network jacks. Which technology should be implemented? The answer is port security. Another type asks about violation modes: Which port security violation mode drops unauthorized traffic but does not generate an alert? Answer: protect mode.

CySA+ might show a network log with multiple port violations from the same port in a short time, and ask the analyst to identify the type of attack. The correct answer could be a MAC flooding attack attempt, which port security helps mitigate by limiting the number of MAC addresses per port.

Port security also appears in combination with other features. For instance, a question might integrate 802.1X and port security, asking which feature is used to limit the number of devices behind an authenticated port. Another scenario shows a user getting a new laptop and not being able to connect, and the administrator must determine that the sticky MAC address is still the old machine’s MAC.

Finally, some questions test knowledge of defaults: What is the default maximum number of secure MAC addresses on a Cisco switch port when port security is enabled? Answer: 1. What is the default violation mode? Answer: shutdown. These baseline facts are often directly tested.

Practise Port security Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A small business, BookNook Inc., has 20 employee workstations connected to a single managed switch in the server room. The owner is concerned about security because the office doors are sometimes left unlocked during the day. Any visitor could potentially plug a laptop into an empty wall jack and access the company network. The network administrator, Raj, decides to implement port security on all access ports.

Raj logs into the switch and selects interface Gi0/1, which is connected to Lucy’s desk. He knows Lucy’s computer has the MAC address 00A1.2B3C.4D5E. He enters the following commands: interface gigabitethernet0/1 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address 00A1.2B3C.4D5E switchport port-security violation shutdown

He repeats this for each of the 20 ports, using each employee’s MAC address. He also configures the last two ports as spare ports with sticky learning, so that the first device plugged in becomes the trusted device.

A week later, a service technician working on the HVAC system sees an empty desk and plugs his personal laptop into the wall jack to check email. The switch immediately detects the technician’s MAC address, which is not on the secure list. Because the violation mode is shutdown, the switch disables port Gi0/1. The technician gets no network connectivity. At the same time, the switch sends a syslog message to Raj’s monitoring console: Port Gi0/1 was disabled by port security violation.

When Lucy returns from lunch and finds her computer offline, she calls Raj. Raj checks the logs, sees the violation, identifies the physical port location, and realizes a guest must have used the desk. He clears the violation by re-enabling the port with the command shutdown followed by no shutdown. He also sends a company email reminding employees not to let guests use their network connections.

This scenario demonstrates how port security works in practice. It prevents unauthorized access, provides an audit trail, and forces an administrator to approve any change in connected devices. Without port security, the technician’s laptop would have had full network access, potentially exposing the company to malware or data theft.

Common Mistakes

Assuming port security prevents MAC spoofing attacks

Port security only checks that the source MAC address is in its list of authorized addresses. If an attacker captures the legitimate MAC and spoofs it, the switch sees the authorized MAC and allows the traffic. Port security has no mechanism to detect spoofing.

Use port security in combination with 802.1X or dynamic ARP inspection to detect and prevent MAC spoofing.

Forgetting to set the switchport mode to access before enabling port security

Port security is only supported on access ports and private VLAN trunk ports on most switches. If the port is configured as a trunk, the switch will reject the port-security command or apply it incorrectly, potentially breaking VLAN tagging.

Always configure switchport mode access before enabling port security on a user-facing port.

Setting the maximum MAC addresses too high by default

A high maximum (e.g., 100) defeats the purpose of port security because it allows many devices to connect, increasing the risk of unauthorized access. It also consumes switch CAM table resources.

Set the maximum MAC addresses to the smallest number needed for the devices on that port. For a single PC, use 1. For a phone and PC, use 2.

Using sticky learning without saving the configuration

Sticky MAC addresses are stored in the running configuration. If the switch reloads before the configuration is saved, the sticky addresses are lost, and the port will accept the first new device seen, which could be an attacker.

After configuring sticky port security, issue the copy running-config startup-config command to save the sticky addresses.

Confusing protect mode with restrict mode

Protect mode drops unauthorized traffic silently with no log or violation counter increment. Restrict mode also drops traffic but logs the event and increments the violation counter. Learners often think protect mode provides logging, which it does not.

Remember: protect is silent, restrict is logged, shutdown is severe (port disabled).

Thinking that port security is enabled by default on all ports

On most managed switches, including Cisco, port security is disabled by default. The administrator must explicitly enable it per interface.

Always verify that port security is enabled on the desired interfaces using show port-security summary.

Exam Trap — Don't Get Fooled

{"trap":"An exam question shows a port that is in err-disabled state due to port security violation. The candidate is asked to choose the fastest way to restore the port. A distractor option is to delete the running configuration and reload the switch."

,"why_learners_choose_it":"Learners panic and think a reload will reset everything, not realizing that the startup configuration still contains port security entries that will cause the same violation upon reboot. They may also think that reloading is a quick fix for any problem.","how_to_avoid_it":"The correct method is to first identify and remove the offending device, then perform shutdown followed by no shutdown on the interface.

Alternatively, if errdisable recovery is configured, the port will automatically come up after the recovery timeout. Reloading the switch is unnecessary and causes downtime for all users."

Commonly Confused With

Port securityvsMAC address filtering

MAC address filtering is a broader term that can apply to wireless networks or router ACLs, restricting access based on MAC addresses. Port security is specifically a Layer 2 switch feature that controls which MAC addresses are allowed on a given physical port. While both use MAC addresses, port security enforces the limit per port, whereas MAC filtering on a wireless network is per wireless LAN.

A wireless router can be set to allow only specific MAC addresses to connect to Wi-Fi (MAC filtering). Port security would be used on a switch port to allow only a specific PC on that wired connection.

Port securityvs802.1X authentication

802.1X is a port-based authentication protocol that uses a RADIUS server to verify the identity of a device or user before granting network access. Port security is a simpler, static method that allows or blocks devices based solely on their MAC address. 802.1X is dynamic and can integrate with directory services, while port security is local to the switch and does not authenticate users.

A university uses 802.1X so students must enter their credentials to access the network. A small office uses port security to block any device that is not the one assigned to that desk.

Port securityvsDHCP snooping

DHCP snooping is a security feature that filters untrusted DHCP messages to prevent rogue DHCP servers from offering false IP addresses. Port security focuses on blocking unauthorized MAC addresses at the Layer 2 level, not on DHCP message validation. They are complementary but serve different purposes.

DHCP snooping on a switch port prevents a malicious laptop from acting as a DHCP server. Port security on the same port prevents the laptop from connecting at all if its MAC is not authorized.

Port securityvsPrivate VLANs (PVLANs)

Private VLANs isolate ports within the same VLAN, preventing communication between devices on the same logical segment. Port security restricts which devices can use a port, not how they communicate with each other. PVLANs are about traffic isolation, while port security is about admission control.

In a hotel, PVLANs prevent guests from seeing each other's traffic even though they are in the same VLAN. Port security would be used to ensure only registered devices can plug into the room's wall jack.

Port securityvsNetwork Access Control (NAC)

NAC is a comprehensive solution that combines authentication, endpoint health checks, and policy enforcement to grant or deny network access across wired and wireless networks. Port security is a single feature within the broader NAC toolkit. NAC often uses 802.1X and can integrate with port security for additional enforcement.

Cisco ISE is a NAC product that checks if a device has antivirus before allowing access. Port security on the edge switch is a simple component that only checks MAC addresses.

Step-by-Step Breakdown

1

Identify the target interface

The administrator determines which physical switch port needs port security. This is typically an access port connected to an end device like a PC or printer. Trunk ports are generally not secured with port security because they carry multiple VLANs and expect many MAC addresses.

2

Set the switchport mode to access

Before enabling port security, the port must be configured as an access port using the command switchport mode access. This tells the switch that this port carries traffic for only one VLAN. Port security is not supported on dynamic or trunk ports in most implementations.

3

Enable port security on the interface

The command switchport port-security activates the feature on the interface. Without this, all subsequent port security commands are ignored. The feature remains disabled until this command is executed.

4

Configure the maximum number of secure MAC addresses

Using switchport port-security maximum <number>, the administrator sets how many MAC addresses are allowed on the port. The default is 1, but this can be adjusted. For example, an IP phone plus a PC would require 2.

5

Define the secure MAC addresses (static, dynamic, or sticky)

The administrator can manually enter MAC addresses (switchport port-security mac-address <mac>), allow dynamic learning, or enable sticky learning (switchport port-security mac-address sticky). Sticky learning converts dynamically learned addresses into static entries in the running config.

6

Choose the violation mode

With switchport port-security violation {protect | restrict | shutdown}, the administrator defines the action when an unauthorized MAC is detected. Protect drops silently, restrict drops and logs, shutdown disables the port completely.

7

Verify the configuration

Using show port-security interface <interface>, the administrator confirms that port security is enabled, lists the secure MAC addresses, shows the violation count, and indicates the current port status. show port-security summary provides an overview of all secured ports.

8

Save the configuration

To make port security settings persistent across switch reboots, the running configuration must be saved to startup configuration using copy running-config startup-config. This is especially important if sticky MAC addresses were learned, as they only exist in the running config until saved.

Practical Mini-Lesson

Port security is one of the most straightforward yet effective security controls available on managed switches. It requires very little overhead to configure and maintain, yet it can stop a significant class of attacks and accidental breaches. As a network professional, you will encounter port security in almost every wired LAN environment that takes security seriously, from small businesses with a single switch to large enterprise campus networks with hundreds of switches.

When configuring port security in practice, you must first understand the physical topology. Which ports are used by end users? Which ports connect to servers, printers, or IP phones? Which ports are in public areas, such as lobbies or conference rooms? Each of these may have different requirements. For a lobby port meant for guest access, you might set port security with sticky learning and a limit of 1, so only the first device that connects gets access. For a server port, you would statically assign the MAC address of the server and set the violation mode to shutdown for maximum security.

A common real-world scenario involves IP phones. A phone typically connects to the switch, and a PC connects to the phone. The switch must allow both the phone’s MAC and the PC’s MAC on the same port. The solution is to configure the maximum MAC addresses to 2, and use the voice VLAN feature to separate phone traffic. The port security configuration would be: switchport port-security, switchport port-security maximum 2, and set the violation to restrict so that if a third device appears, the admin gets a log entry without the port being disabled.

What can go wrong? The most common issue is a port security violation that shuts down a legitimately used port. This often happens when an employee gets a new laptop and plugs it into the same port, but the sticky MAC address of the old laptop is still configured. The administrator must manually clear the old MAC and re-enable the port, or allow the port to automatically recover using errdisable recovery cause psecure-violation. Configuring errdisable recovery with a timeout of 300 seconds means the port will come back online after five minutes, reducing help desk calls.

Another challenge is managing port security at scale. In a network with thousands of ports, manually entering MAC addresses is impractical. Sticky learning automates the initial setup, but if a device is replaced, the administrator must clear the old MAC from the config. Some organizations use scripts or network management tools to audit and update secure MAC addresses. Integration with 802.1X can also simplify this, as the authentication server can dynamically instruct the switch to allow or deny devices based on identity rather than MAC.

For CCNA exam candidates, the most important practical skill is the ability to read show port-security output. This includes identifying the number of secure MAC addresses, violation count, and port status. You should also be comfortable with the commands to clear sticky MAC addresses (clear port-security sticky) and to recover a port from err-disable (shutdown then no shutdown).

Finally, remember that port security is a deterrent, not a complete solution. It does not protect against a determined attacker who can spoof a legitimate MAC. It does not prevent VLAN hopping or ARP spoofing. It should be part of a defense-in-depth strategy that includes DHCP snooping, dynamic ARP inspection, 802.1X, and network segmentation. As a professional, use port security as your first layer of physical network defense, but always assume that a skilled attacker can bypass it. Combine it with other controls for real security.

Port Security Fundamentals and Default Behavior

Port security is a layer 2 security feature available on Cisco switches and many other enterprise switching platforms. Its primary purpose is to restrict which devices can send traffic through a switch port based on the source MAC address. When port security is enabled on an interface, the switch examines the source MAC address of every incoming frame and compares it against a list of allowed addresses. If the source MAC is not in the secure address list, the switch takes a predefined action, such as dropping the frame, generating a security violation, or even disabling the port entirely. This prevents unauthorized devices from connecting to the network and helps mitigate attacks like MAC flooding or rogue device insertion.

By default, port security is disabled on all interfaces. When enabled, it imposes a limit on the number of MAC addresses that can be learned on that port. The default maximum is one MAC address, but this can be configured from 1 to 132 (or higher on some models). The switch learns MAC addresses dynamically as frames pass through the port, and it stores them in the CAM table. Port security uses a separate table of secure MAC addresses, which may be dynamically learned, statically configured, or sticky (learned dynamically and then saved to the running configuration). Understanding the default behavior is critical for exams: if port security is enabled without any optional parameters, the port will learn one MAC address dynamically, and any additional MAC addresses will trigger a port security violation. The default violation mode is shutdown, meaning the port will be placed in an err-disabled state and will not forward traffic until manually reactivated.

One common exam misconception is that port security only works on access ports. In reality, it can also be configured on trunk ports, though it is more restrictive. On a trunk, the secure MAC address table applies to all VLANs on that trunk, and the switch checks the source MAC of frames from any VLAN. Because trunks often carry many MAC addresses, port security is rarely used on trunks without very specific design constraints. Another key point is that port security does not inspect the destination MAC address or any higher-layer information; it is purely a source MAC filter. This means a device with multiple applications or multiple VLANs behind a single NIC may still be allowed as long as the source MAC is in the secure table. Exams such as CCNA and Security+ test these basics frequently, often asking candidates to identify the default violation action or the default maximum MAC count.

Port security also interacts with other switching features. For example, when using Dynamic Host Configuration Protocol (DHCP) snooping, port security can provide an additional layer of verification. However, port security alone does not prevent DHCP starvation attacks; it only limits the number of MAC addresses seen on a port. The key takeaway for exam preparation is to memorize the default settings: disable port security, maximum MAC addresses = 1, violation mode = shutdown, no sticky learning. Any deviation from these defaults must be explicitly configured. In the AWS SAA context, port security is not directly relevant, but understanding the concept of MAC-based access control can help when evaluating similar features in virtual private clouds or when designing micro-segmentation strategies.

Port Security Violation Modes: Shutdown, Restrict, and Protect

When a port security violation occurs, the switch can respond in one of three ways: shutdown, restrict, or protect. Each mode has distinct behaviors and use cases, and understanding the differences is essential for exam questions and real-world troubleshooting. The shutdown mode is the default and most severe. When a violation occurs in shutdown mode, the switch immediately puts the port into an err-disabled state, and the port LED turns off or amber. The switch also increments the security violation counter and sends a syslog message and an SNMP trap. To recover the port, an administrator must manually issue the "no shutdown" command on the interface, or configure errdisable recovery. Because of its disruptive nature, shutdown mode is best suited for ports where any unauthorized device should cause immediate isolation, such as ports in sensitive server rooms or management interfaces.

The restrict mode is less severe. When a violation is detected in restrict mode, the switch drops frames from the offending MAC address but continues to allow traffic from already-secured MAC addresses. The port remains up and operational. The switch does generate a syslog message and increment the security violation counter. Importantly, restrict mode does not put the port in an err-disabled state, so no manual intervention is required. This mode is useful for edge ports where occasional unknown devices might connect, such as conference rooms or guest areas, but where you still want to enforce MAC limits without completely killing the port. However, restrict mode consumes CPU resources because the switch must examine every frame to decide whether to forward or drop it. In high-traffic environments, this can lead to performance degradation.

The protect mode is the least intrusive. When a violation occurs in protect mode, the switch silently drops frames from the offending MAC address without generating any syslog messages or SNMP traps. It does not increment the security violation counter. The port remains fully functional for all allowed MAC addresses. Protect mode is the only violation mode that does not log events, making it the stealthiest option. However, because it does not alert the administrator, unauthorized access could go unnoticed for a long time. Protect mode is rarely used in production except in very low-security environments or where logging is not required. Exam questions often ask candidates to identify which mode sends an SNMP trap, which mode requires manual recovery, or which mode drops traffic without notification. Alternatively, they may present a scenario requiring minimal administrative intervention and ask which mode fits best.

It is also important to know that the violation counters can be cleared with the "clear port-security sticky" or "clear mac address-table secure" commands, depending on the platform. In the context of the CySA+ or Security+ exams, understanding the tradeoffs between security and availability is key. For example, a network administrator might choose restrict mode for a hotel Wi-Fi edge port to maintain service for legitimate guests while blocking unexpected devices. In contrast, a data center top-of-rack switch might use shutdown mode to enforce strict access control. The CCNA exam often includes a comparison table between the three modes, testing the ability to recall that only shutdown causes err-disable and that protect suppresses all logging. An exam clue: if you see a question about a port that has stopped working but no log messages were generated, the most likely violation mode configured is protect.

Sticky MAC Addresses: Dynamic Learning with Persistence

Sticky MAC addresses are a powerful port security feature that combines dynamic learning with configuration persistence. When sticky learning is enabled on a port, the switch dynamically learns the MAC addresses of connected devices, just like normal dynamic learning, but then automatically converts those dynamically learned addresses into secure MAC addresses and writes them into the running configuration as if they were statically configured. This means that after a reboot, the switch will retain those MAC addresses in its configuration, and the port will only allow those previously learned devices. Sticky MAC addresses are particularly useful in environments where devices frequently connect and disconnect but you want to enforce a fixed set of allowed devices without manually typing each MAC address. To enable sticky learning, you use the command "switchport port-security mac-address sticky" on the interface. Optionally, you can also manually configure sticky MAC addresses by using "switchport port-security mac-address sticky <mac-address>".

One important detail is that sticky MAC addresses are stored in the running configuration. If you do not save the running configuration to the startup configuration (using "copy running-config startup-config" or "write memory"), all sticky-learned addresses will be lost upon reload. This is a common pitfall in both real-world deployments and exam scenarios. Another nuance is that sticky MAC addresses are treated as secure MAC addresses, meaning they count toward the maximum MAC address limit on the port. If the limit is reached, no more MAC addresses will be learned, and new devices will cause a violation. When you clear a sticky MAC address (using "clear port-security sticky" or by removing the address from the configuration), that address is removed from the secure table, and the port can learn a new device dynamically. However, if you clear a sticky address that was also in the running configuration, the address is not automatically removed from the configuration; you must also use "no switchport port-security mac-address sticky <mac>" to fully clean up.

Sticky MAC addresses are often tested in the CCNA and Security+ exams in the context of "how does the switch know what devices are allowed after a reboot?" The answer is that if sticky is enabled and the config was saved, the MACs are in the startup config. If not saved, the switch will have to re-learn the MACs dynamically. Sticky MAC addresses can be used on both access and trunk ports, but on trunk ports, the MAC address is associated with the port, not with a specific VLAN. This can cause issues if the same MAC is seen on multiple VLANs-the switch will treat it as a single secure address. In the MS-102 or SC-900 exams, sticky MAC concepts may appear in the context of device compliance or network access control (NAC) policies.

A common exam trick is to ask what happens when a sticky MAC address is manually deleted from the configuration while the device is still connected. The answer: the switch will immediately detect the new MAC as a violation because it is no longer in the secure table, and it will trigger the configured violation mode. Another scenario: if you enable sticky after the port has already learned some dynamic MACs, those existing dynamic MACs are not automatically converted to sticky. Only subsequent traffic from those devices will cause the MAC to become sticky. To convert existing dynamic MACs, you must clear the dynamic addresses and allow them to be re-learned. Knowing these details can help you answer tricky exam questions correctly. Remember that sticky MAC addresses are not a separate violation mode; they are a method of learning. The violation mode (shutdown, restrict, protect) is configured independently and will apply to any MAC that attempts to exceed the limit or is not in the secure table.

Port Security Errdisable Recovery and Best Practices

When a port security violation occurs in shutdown mode, the interface enters an errdisabled state. In this state, the switch stops forwarding all traffic on that port and the port is effectively disabled. The errdisable state is persistent across configuration changes unless manually addressed. There are two ways to recover an errdisabled port: manually using the "shutdown" followed by "no shutdown" commands on the interface, or automatically using errdisable recovery. The manual method is simple but requires administrative intervention, which may not be practical for large networks with hundreds of ports. The automatic recovery method uses the command "errdisable recovery cause psecure-violation" globally on the switch. This causes the switch to automatically bring the port out of errdisable state after a specified interval (default 300 seconds, configurable with "errdisable recovery interval <seconds>"). This feature is extremely useful for reducing operational overhead, especially in environments where temporary violations are expected, such as guest networks or employee bring-your-own-device (BYOD) scenarios.

However, automatic recovery has security implications. If an attacker connects an unauthorized device, the port will be errdisabled, but then automatically recover after the interval, allowing the attacker to try again. In a high-security environment, manual recovery is often preferred to ensure that a human evaluates why the violation occurred. Another best practice is to use errdisable recovery with restrict mode instead of shutdown mode when automatic recovery is desired, because restrict mode does not fully disable the port and does not require recovery at all. The choice between shutdown and restrict often depends on the balance between security and availability. In the exam environment, you may be asked to calculate the recovery time or identify the command that enables automatic recovery for port security violations.

Another critical aspect is the interaction between port security and other features that can cause errdisable, such as Spanning Tree Protocol (STP) loop guard, BPDU guard, or UDLD. It is possible for a port to be errdisabled for multiple reasons simultaneously. The command "show interfaces status err-disabled" lists all errdisabled ports and the reason. For port security, the reason will show "psecure-violation". Understanding how to troubleshoot and recover from errdisable states is a key exam objective for CCNA and CompTIA Network+. In the Microsoft MD-102 and MS-102 exams, similar concepts apply to Windows Defender Firewall and network isolation, though the terminology differs. The key takeaway is that port security errdisable is a feature that directly impacts network availability. Best practices include: always save the configuration after enabling port security to avoid losing sticky MACs, use restrict mode on low-security ports to avoid manual recovery, set appropriate maximum MAC addresses based on the actual number of expected devices, and monitor security violation counters using "show port-security" or SNMP. Consider using BPDU guard in conjunction with port security on access ports to prevent STP manipulation attacks. Exam clues often revolve around the fact that errdisable recovery is disabled by default, and that the default recovery interval is 300 seconds. A typical question might be: "A switch port was errdisabled due to a port security violation. After fixing the issue, the administrator wants the port to automatically come back online after 30 seconds. What should be configured?" The answer: enable errdisable recovery for psecure-violation and set the interval to 30.

Troubleshooting Clues

Port and LED are off after connecting a new device

Symptom: The switch port LED is off (or amber), and the port shows status 'err-disabled' in show interfaces. Traffic stops completely.

This is the classic shutdown violation mode scenario. The new device's MAC address exceeded the maximum allowed secure MAC count, causing the port to errdisable. The switch generates a syslog message and increments the violation counter.

Exam clue: Exam questions often describe a port that stopped working after plugging in a new device. The correct answer is to check 'show interfaces status' for errdisabled and then identify the cause as port security violation.

Port is up but traffic from some devices is being dropped

Symptom: Some devices on the port can communicate normally, but others connected to the same switch cannot send or receive traffic. No port error appears.

This indicates a restrict or protect violation mode. The switch is dropping frames from unauthorized MAC addresses while allowing traffic from authorized ones. In restrict mode, syslog messages appear; in protect mode, they do not.

Exam clue: Questions that describe partial connectivity on a port often point to restrict or protect mode. The admin may not see a port shutdown, so the root cause is port security violation with a non-shutdown mode.

Sticky MAC addresses are missing after a switch reboot

Symptom: After a reload, the port security table is empty and the port learns new MAC addresses dynamically, even though sticky was configured before the reboot.

Sticky MAC addresses are stored in the running configuration. If the running configuration was not saved to startup configuration, the sticky entries are lost on reboot. The switch reverts to dynamic learning.

Exam clue: Classic exam trap: sticky MAC persistence requires a 'write memory' or 'copy run start'. Questions about sticky MAC behavior after reload always test this concept.

Unable to configure more than 1 MAC address on a port

Symptom: When trying to add a second static secure MAC address, the switch rejects the command or the port flags a violation.

The default maximum MAC address count is 1. Without using 'switchport port-security maximum', the port only allows one secure MAC. Attempting to add a second MAC (static or dynamic) triggers a violation.

Exam clue: Always check the maximum count first when configuring multiple MACs. Exam scenarios often omit the maximum command as a distractor.

Port security violation counters keep incrementing even though the port is up

Symptom: Using 'show port-security' shows a high violation count, but the port is still operational and not errdisabled. The admin sees no syslog messages.

This suggests the port is in protect mode. Protect mode suppresses syslog messages and does not change port state. The only indicator is the violation counter. The switch drops offending frames silently.

Exam clue: If a question states that the violation counter is increasing but no alarms were raised, the violation mode is probably protect. This is a common exam distinction.

Port security not working on a trunk port

Symptom: After enabling port security on a trunk port, multiple MAC addresses from different VLANs are allowed without triggering violations, even if maximum is set low.

Port security on trunk ports counts all MAC addresses seen across all enabled VLANs. If the trunk carries many VLANs, the total number of MACs can quickly exceed the limit. However, the switch may not enforce the limit correctly in some scenarios, or an administrator may forget to set an appropriate maximum for the trunk.

Exam clue: Exams often test that port security works on trunk ports but is impractical. Know that each MAC is counted once, regardless of VLAN, and that the maximum applies to the entire port.

Port remains in errdisable after automatic recovery is configured

Symptom: The administrator enabled 'errdisable recovery cause psecure-violation', but the port still shows errdisable after the recovery interval expired.

Possible reasons: the recovery interval was not set correctly (default 300 seconds may not have passed), or the recovery cause was misspelled (e.g., 'pssecure' instead of 'psecure-violation'), or the errdisable recovery was not enabled globally, or the port was errdisabled for a different reason (e.g., BPDU guard). Always confirm with 'show errdisable recovery'.

Exam clue: This scenario tests knowledge of the exact syntax and the need to verify with 'show errdisable recovery'. Misconfiguration of cause names is a frequent exam mistake.

Device MAC address changes frequently causing violations

Symptom: A legitimate device (e.g., a laptop with MAC randomization) connects to the port, but after a few minutes, the port shows violations and the device loses connectivity.

MAC randomization in modern operating systems (Windows, Android, iOS) changes the source MAC address periodically. Port security sees a new MAC each time and triggers a violation because the new MAC is not in the secure table. This is a common issue with sticky or static configurations.

Exam clue: Questions about MAC randomization and port security are appearing more in Security+ and CCNA. The solution is to disable MAC randomization on the device or use a different security mechanism like 802.1X.

Learn This Topic Fully

This glossary page explains what Port security means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.What is the default violation mode for port security on a Cisco switch?

2.A switch port is configured with port security and sticky MAC addresses. After a power outage, the switch reboots. What must be done to ensure the sticky MAC addresses are retained?

3.Which port security violation mode drops unauthorized frames without sending a syslog message or incrementing the violation counter?

4.A network administrator configures 'switchport port-security maximum 2' on an access port. Two devices are connected and working. A third device is connected to a hub attached to the same port. What is the most likely outcome?

5.Which command would you use to verify the number of secure MAC addresses currently learned on interface GigabitEthernet0/1?