Port security is a critical Layer 2 security feature that prevents unauthorized devices from connecting to your network by limiting which MAC addresses can send traffic through a switch port. On the CCNA 200-301 exam (objective 2.7), you must know how to configure, verify, and troubleshoot port security, including sticky MAC addresses, violation modes, and aging options. In real networks, it's your first line of defense against rogue devices and MAC flooding attacks.
Jump to a section
Imagine you run an exclusive nightclub. You have a bouncer at each entrance who only lets in people whose names are on the VIP list. Each entrance has its own list (port security configuration). The bouncer checks every person's ID (source MAC address) against the list. If a person's name is on the list, they enter; if not, the bouncer can either just warn them (restrict), kick them out (shutdown), or let them in but note the violation (protect). You can also teach the bouncer to remember new names by having the first few guests sign the list themselves (sticky learning). After a set time, the bouncer might forget some names to make room for new guests (aging). The bouncer never lets more than a certain number of people in (maximum MAC addresses). If a guest tries to come in through a different door, the bouncer won't recognize them unless their name is on that door's list too. This is exactly how port security works: each switch port has its own list of allowed MAC addresses, and the switch enforces the rules based on the violation mode configured.
What is Port Security?
Port security is a Cisco switch feature that restricts input on a port by limiting the MAC addresses allowed to send traffic. It helps prevent unauthorized devices from connecting to the network and mitigates MAC flooding attacks (where an attacker floods the switch with fake MAC addresses to overflow the CAM table). Port security is configured per interface and can be used with static, dynamic, or sticky MAC addresses.
How Port Security Works
When a frame arrives on a switch port, the switch examines the source MAC address. If port security is enabled, the switch checks whether that MAC address is allowed on that port. The port has a configured maximum number of allowed MAC addresses (default is 1). If the source MAC is already in the secure MAC address list, the frame is forwarded normally. If it's a new MAC and the maximum hasn't been reached, the MAC is learned dynamically (or added as sticky). If the maximum is reached and a new MAC arrives, a security violation occurs. The switch then takes an action based on the violation mode: protect (drops the frame without notification), restrict (drops the frame and logs it), or shutdown (disables the port and logs it).
Violation Modes
Protect: Drops frames from unknown MAC addresses. No SNMP trap or syslog message. The port remains up. This is the least secure mode because you don't know violations are happening.
Restrict: Drops frames from unknown MACs, increments the violation counter, and sends a syslog message and SNMP trap. The port remains up. This is good for monitoring.
Shutdown: Immediately places the port in errdisable state. The port LED turns off. A syslog message is sent. The port must be manually re-enabled or automatically recovered via errdisable recovery. This is the default violation mode and the most secure.
Sticky MAC Addresses
Sticky MAC addresses are dynamically learned and then converted to static entries in the running configuration. When you enable sticky learning on an interface, the switch adds any dynamically learned MAC address to the running config as a sticky secure MAC address. These addresses are saved in the running config and can be written to startup config. If a sticky MAC address is seen on a different port, it is treated as a violation (unless allowed by port security).
MAC Address Aging
Port security allows you to set an aging time (in minutes) for secure MAC addresses. Types: - Absolute: The MAC address is removed after the aging time, even if it is still active. - Inactivity: The MAC address is removed only if no traffic is seen from it for the aging time.
Default aging time is 0 (no aging).
Defaults
Port security is disabled by default.
Maximum MAC addresses: 1
Violation mode: shutdown
Aging type: absolute
Aging time: 0 (disabled)
Sticky learning: disabled
Verification Commands
Switch# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
Gi0/1 1 1 1 Shutdown
------------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
Switch# show port-security interface gigabitEthernet 0/1
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0011.2233.4455:1
Security Violation Count : 1
Switch# show port-security address
Secure Mac Addresses Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0011.2233.4455 SecureConfigured Gi0/1 -Interaction with Related Features
Port security interacts with other switch features: - STP: Port security is independent of STP. A port can be in blocking state but still have port security enabled (though no traffic flows). - VLAN: Secure MAC addresses are VLAN-specific. A port in trunk mode can have secure MAC addresses per VLAN (but this is complex and rarely used). - EtherChannel: Port security is not supported on EtherChannel member ports; it must be configured on the port-channel interface itself (but only static MAC addresses are allowed). - Dynamic ARP Inspection (DAI): Port security can complement DAI by limiting the number of MAC addresses on a port, reducing the attack surface.
Enable port security on interface
Enter interface configuration mode for the port you want to secure. Use the `switchport port-security` command to enable port security. This command must be issued on a switchport (access or trunk). If the interface is not a switchport, the command will be rejected. Example: ``` Switch(config)# interface gigabitEthernet 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security ``` The `switchport mode access` command is not strictly required for port security, but it is recommended because port security is most commonly used on access ports. On trunk ports, you can also configure port security but with limitations (e.g., per-VLAN MAC limits).
Set maximum MAC addresses
By default, a secure port allows only one MAC address. To change this, use the `switchport port-security maximum <number>` command. The range is 1 to 8192. For example, to allow up to 5 MAC addresses: ``` Switch(config-if)# switchport port-security maximum 5 ``` Consider the number of devices that will connect to this port. For a single host, 1 is fine. For a hub (not recommended) or a small switch, you might need more. Setting a higher maximum reduces security.
Configure violation mode
Choose the action when a violation occurs. The default is shutdown. Use `switchport port-security violation {protect | restrict | shutdown}` to change it. For example, to use restrict mode: ``` Switch(config-if)# switchport port-security violation restrict ``` - **protect**: Drops frames silently; no log. - **restrict**: Drops frames, logs, and increments counter. - **shutdown**: Disables port (errdisable). For the exam, remember that shutdown is the default and most secure. Restrict is good for monitoring without disabling the port.
Configure sticky MAC learning
To dynamically learn and save MAC addresses, enable sticky learning with `switchport port-security mac-address sticky`. This converts dynamically learned MACs to sticky secure MACs in the running config. Example: ``` Switch(config-if)# switchport port-security mac-address sticky ``` After this, any MAC learned on the port is added as a sticky entry. To manually add a static MAC, use `switchport port-security mac-address <mac>`. Sticky addresses survive a reload only if saved to startup config.
Configure MAC address aging
Set aging time and type with `switchport port-security aging {time <minutes> | type {absolute | inactivity}}`. For example, to age out after 10 minutes of inactivity: ``` Switch(config-if)# switchport port-security aging time 10 Switch(config-if)# switchport port-security aging type inactivity ``` Aging helps reclaim unused MAC entries. Absolute removes the MAC after the time regardless of activity; inactivity removes it only if no traffic is seen. Default aging time is 0 (disabled).
Verify and test configuration
Use verification commands to confirm settings and test violations. After configuration, check with `show port-security interface <int>` and `show port-security address`. To test, connect a device with an unauthorized MAC or exceed the maximum. For example, if violation mode is shutdown, the port will go into errdisable state. Check with: ``` Switch# show interfaces status err-disabled ``` To recover, manually shut and no shut the interface, or configure errdisable recovery. For the exam, know that `show port-security` gives a summary and `show port-security address` lists all secure MACs.
Enable errdisable recovery (optional)
If using shutdown mode, you can configure automatic recovery from errdisable state. Use `errdisable recovery cause psecure-violation` globally and set a timer with `errdisable recovery interval <seconds>`. Example: ``` Switch(config)# errdisable recovery cause psecure-violation Switch(config)# errdisable recovery interval 300 ``` This automatically re-enables the port after 300 seconds (5 minutes). Without this, an administrator must manually shut/no shut the port. On the exam, know that psecure-violation is the cause for port security shutdowns.
In enterprise networks, port security is deployed on access ports connecting end-user devices. A common scenario is in a corporate office where each desk has a single PC and an IP phone. The switch port is configured with a maximum of 2 MAC addresses (one for the PC, one for the phone) and sticky learning enabled. This prevents an employee from plugging in a rogue switch or hub to add more devices. Another scenario is in a data center where server ports are configured with static MAC addresses of the server NICs. This ensures that if a server is moved or replaced, the port will not accept traffic from the new server until the MAC is updated. Port security is also used in public Wi-Fi areas to prevent users from plugging into the wired network. A misconfiguration that I've seen in production is setting the maximum too high (e.g., 100) which defeats the purpose. Another common mistake is forgetting to enable sticky learning and then wondering why MAC addresses are not saved after a reload. Performance-wise, port security has minimal overhead because it's done in hardware (CAM lookup). However, on very busy ports with many MAC addresses, the CPU may be involved for learning. In large networks, managing static MAC entries can become tedious, so sticky learning is preferred. When a violation occurs in shutdown mode, it causes an outage that requires manual intervention or errdisable recovery. This can be disruptive if a legitimate device is replaced without updating the port security configuration. Therefore, restrict mode is often used in less critical areas to avoid outages while still logging violations.
The CCNA 200-301 exam tests port security under objective 2.7 (Layer 2 security features). You must know the default values: maximum MAC addresses = 1, violation mode = shutdown, aging disabled. You need to be able to interpret show port-security interface output, especially the 'SecurityViolation Count' and 'Port Status' fields. Common wrong answers on the exam:
Confusing sticky with static: Candidates think sticky MAC addresses are saved to startup config automatically. They are saved to running config; you must write memory to keep them after reload.
Thinking protect mode sends a log: Protect mode silently drops frames; no syslog or SNMP trap. Restrict and shutdown do log.
Assuming port security works on trunk ports by default: Port security works on trunk ports but requires careful configuration; many candidates think it's only for access ports.
Forgetting that shutdown mode puts the port in errdisable state: The port is not just administratively down; it's in errdisable and requires manual recovery or errdisable recovery.
Specific values to memorize:
Default maximum: 1
Default violation: shutdown
Default aging: 0 (disabled)
Sticky learning: disabled by default
errdisable recovery cause: psecure-violation
For scenario questions, use this elimination strategy:
If a port goes down after a violation, the mode is shutdown.
If a port stays up but logs violations, the mode is restrict.
If a port stays up and no logs, the mode is protect.
If MAC addresses are learned and appear in running config, sticky is enabled.
If you see 'Secure-down' in show port-security, the port is in errdisable due to violation.
Default maximum MAC addresses is 1, default violation mode is shutdown.
Sticky MAC addresses are saved to running config, not automatically to startup config.
Protect mode drops frames silently; restrict mode logs; shutdown disables the port.
A port in errdisable due to port security can be recovered with errdisable recovery cause psecure-violation.
Use show port-security interface to see violation count and port status.
Port security is configured per interface and is VLAN-aware.
Aging can be absolute or inactivity; default is disabled.
These come up on the exam all the time. Here's how to tell them apart.
Port Security
Limits MAC addresses per port
Simple to configure
No authentication required
Works at Layer 2
Violation modes: protect, restrict, shutdown
802.1X
Authenticates users/devices via RADIUS
Complex to configure with EAP
Requires authentication server
Works at Layer 2 with EAPoL
Can dynamically assign VLAN
Mistake
Port security can be configured on any switch port without any prerequisites.
Correct
Port security requires the port to be a switchport (access or trunk). It cannot be configured on routed ports or ports in dynamic mode.
Candidates think it works on any port because they haven't encountered the switchport requirement.
Mistake
Sticky MAC addresses are automatically saved to the startup configuration.
Correct
Sticky MAC addresses are stored in the running configuration. To preserve them after a reload, you must copy running-config to startup-config.
The word 'sticky' implies permanence, but it only means they are converted to static entries in running config.
Mistake
The protect violation mode sends a syslog message when a violation occurs.
Correct
Protect mode silently drops frames from unknown MAC addresses. No syslog or SNMP trap is generated. Only restrict and shutdown modes log violations.
Candidates assume all violation modes log, but protect is designed for silent operation.
Mistake
Port security can only be used on access ports.
Correct
Port security can be configured on trunk ports as well, though it is more complex and less common. The switchport must be in trunk mode, and you can configure per-VLAN MAC limits.
Most examples in study materials use access ports, leading to the misconception that trunk ports are not supported.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, port security can be configured on trunk ports. However, it is more complex because you can set per-VLAN maximum MAC addresses. The command `switchport port-security maximum <number> vlan <vlan-list>` allows you to specify limits per VLAN. In practice, port security on trunks is rare because trunks typically connect switches, not end devices. The exam focuses on access port configuration.
Static secure MAC addresses are manually configured with `switchport port-security mac-address <mac>` and are always present in the running config. Sticky MAC addresses are dynamically learned and then converted to static entries in the running config. Both are saved to running config, but sticky is easier to deploy because you don't need to know the MAC in advance. After a reload, both types are lost if not saved to startup config.
You can manually recover by entering interface configuration mode and issuing `shutdown` followed by `no shutdown`. Alternatively, configure errdisable recovery globally with `errdisable recovery cause psecure-violation` and optionally set the interval. The port will automatically come back up after the interval (default 300 seconds). You can also use `errdisable recovery interval <seconds>` to change the timer.
The default is 1. If you do not change the maximum, only one MAC address is allowed. If a second MAC appears, a violation occurs (default shutdown). You can increase the maximum using `switchport port-security maximum <number>`.
Port security is supported on EtherChannel interfaces (port-channel interfaces), but not on individual member ports. You configure port security on the port-channel interface, and it applies to the entire bundle. However, only static MAC addresses can be configured; sticky learning is not supported on EtherChannel. Also, the maximum MAC addresses should be set appropriately for the aggregate.
Port security and VMPS (VLAN Membership Policy Server) are independent features. You can configure port security on a port that uses VMPS, but the secure MAC addresses are associated with the VLAN assigned by VMPS. If the VLAN changes, the secure MAC addresses may need to be re-learned. This is not a common combination.
Port security helps mitigate MAC flooding attacks by limiting the number of MAC addresses per port. In a MAC flooding attack, an attacker sends frames with many different source MAC addresses to overflow the switch's CAM table. With port security, only a limited number of MACs are allowed per port, so the attacker cannot flood the table from that port. However, port security does not prevent the attacker from sending traffic; it only restricts the number of MACs.
You've just covered Lab: Configure Port Security — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?