Port Security is a critical Layer 2 security feature that prevents unauthorized devices from connecting to your network by limiting which MAC addresses can send traffic through a switch port. For the CCNA 200-301 exam (objective 2.7), you must understand how to configure, verify, and troubleshoot port security, including the three violation modes and the aging and sticky learning options. In real networks, port security is often the first line of defense against rogue devices, and mastering it is essential for any network engineer.
Jump to a section
Imagine you manage an apartment building with 100 units. Each unit has a specific number of residents (MAC addresses) who are allowed to live there. You issue each resident a unique key (MAC address) that opens the front door (the switch port). The building has a security guard (the switch) who checks every person entering. You configure the guard to allow only a certain number of residents per unit (maximum MAC addresses). If someone tries to enter with a key that isn't registered (unknown MAC), the guard can either: (1) let them in but record the violation (Protect mode), (2) let them in and send an alert (Restrict mode), or (3) lock the door completely and sound an alarm (Shutdown mode). In Shutdown mode, the door stays locked until you personally unlock it (error-disable recovery). You can also make the guard 'learn' keys automatically (sticky learning) — the first time a resident uses their key, the guard memorizes it and only allows that key from then on. This analogy mirrors port security exactly: the switch port has a MAC address table limit, violation actions, and sticky learning to dynamically secure the port.
What Is Port Security and Why Does It Exist?
Port Security is a Cisco IOS feature that restricts which MAC addresses can send frames through a switch port. It is used to prevent unauthorized devices (like a rogue laptop or a malicious attacker) from connecting to the network. The feature works by limiting the number of MAC addresses allowed on a port and optionally specifying which MAC addresses are permitted. If a violation occurs, the switch takes one of three actions: Protect, Restrict, or Shutdown.
How Port Security Works Step by Step
When port security is enabled on a switch port, the switch monitors the source MAC addresses of incoming frames. The switch maintains a list of secure MAC addresses for that port. By default, the port learns MAC addresses dynamically (like normal MAC learning) but only up to the configured maximum. Once the maximum is reached, any frame with a new source MAC address triggers a violation.
The violation action determines what happens:
- Protect: The switch drops frames from unknown MAC addresses but does not send any notification. The port remains up, and the violation counter does not increment.
- Restrict: The switch drops frames from unknown MAC addresses and increments the violation counter. It also sends a syslog message and an SNMP trap.
- Shutdown: The switch immediately puts the port into error-disabled state. The port LED turns off, and the port no longer forwards any traffic. The violation counter increments, and a syslog message is sent. The port can only be brought back up manually (by issuing shutdown followed by no shutdown) or automatically via errdisable recovery.
Key States, Timers, and Defaults
- Maximum MAC addresses: Default is 1. Range is 1 to 132, but practical limits are lower. The maximum includes both static and dynamic secure addresses. - Violation mode: Default is Shutdown. - Sticky learning: Disabled by default. When enabled, dynamically learned MAC addresses are converted to sticky secure MAC addresses and added to the running configuration. - Aging: Secure MAC addresses can be aged out. Two aging types: - Absolute: The address is removed after the aging time (default 0, meaning no aging). - Inactivity: The address is removed if no traffic is seen from it for the aging time. - Aging time: Default 0 minutes. Range 0-1440. - Port security is disabled by default on all ports.
IOS CLI Verification Commands with Example Output
To verify port security configuration and status, use the following commands:
Switch# show port-security interface gigabitethernet 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0050.7966.6800:1
Security Violation Count : 0Switch# show port-security address
Secure Mac Addresses Table
----------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age (mins)
---- ----------- ---- ----- --------------------
1 0050.7966.6800 SecureDynamic Gi0/1 -How Port Security Interacts with Related Protocols
STP: Port security does not interfere with Spanning Tree Protocol. However, if a port is err-disabled due to a violation, STP will see the port as down and reconverge.
VLAN: Secure MAC addresses are associated with a specific VLAN. If the port is an access port, the VLAN is the access VLAN. For trunk ports, you can configure per-VLAN MAC addresses (but this is less common).
802.1X: Port security can work alongside 802.1X. Typically, 802.1X authenticates the user, and port security restricts MAC addresses. They can be used together, but careful design is needed to avoid conflicts.
EtherChannel: Port security can be configured on individual ports within an EtherChannel, but it is not recommended because the load balancing may cause frames from the same source to appear on different member ports, triggering violations.
Enable port security globally (optional)
Port security is configured per interface, but you can enable it globally if desired. The global command is `switchport port-security`. However, it is more common to enable it per interface. On the interface, you must first set the port to access mode (or trunk, but access is typical) using `switchport mode access`. Then enable port security with `switchport port-security`. This command alone enables port security with default parameters: maximum MAC addresses = 1, violation mode = shutdown, no sticky learning, no aging.
Configure maximum MAC addresses
Use `switchport port-security maximum <number>` to set the maximum number of secure MAC addresses allowed on the interface. The value can be from 1 to 132, but setting it too high defeats the purpose. For a single host, use 1. For a hub or VoIP phone, you might need 2 or more. Example: `switchport port-security maximum 2` allows two MAC addresses. Remember that each MAC address counts against the limit, including the phone and PC if using voice VLAN.
Set the violation mode
Use `switchport port-security violation {protect | restrict | shutdown}` to specify the action when a violation occurs. The default is shutdown. Protect mode silently drops frames from unknown MACs, but the port stays up. Restrict mode drops frames and logs the violation. Shutdown mode err-disables the port. Example: `switchport port-security violation restrict`. On the exam, know the differences and when each is appropriate. Shutdown is most secure but disruptive.
Configure sticky MAC learning (optional)
Sticky learning converts dynamically learned MAC addresses to sticky secure MAC addresses, which are saved in the running configuration. Enable it with `switchport port-security mac-address sticky`. After this, any MAC address learned dynamically becomes sticky. You can also manually set a specific MAC as sticky: `switchport port-security mac-address sticky <mac>`. Sticky addresses are not saved to startup config unless you write the config. This is useful for dynamically learning authorized devices without manually typing MACs.
Configure aging (optional)
Use `switchport port-security aging time <minutes>` to set the aging time for secure MAC addresses. The default is 0 (no aging). Use `switchport port-security aging type {absolute | inactivity}` to set the aging type. Absolute removes the address after the time expires regardless of traffic. Inactivity removes it if no traffic is seen from that MAC for the aging time. Example: `switchport port-security aging time 5` and `switchport port-security aging type inactivity` removes MACs that are idle for 5 minutes.
Verify and test the configuration
After configuration, verify with `show port-security interface <interface>` and `show port-security address`. Then test by connecting an unauthorized device. For shutdown mode, the port will go err-disabled. You can see the violation count increment. To recover, you can manually shut and no shut the interface, or configure errdisable recovery: `errdisable recovery cause psecure-violation` and `errdisable recovery interval <seconds>`. The default recovery interval is 300 seconds (5 minutes) if configured.
In enterprise networks, port security is commonly used on access ports in office environments to prevent unauthorized devices from plugging into the network. For example, a company may deploy port security on all cubicle ports with a maximum of 1 MAC address and shutdown violation mode. This ensures that only the assigned desktop computer can connect. If an employee brings a personal laptop and tries to connect, the port goes err-disabled, and the help desk is alerted via syslog. The help desk can then investigate and manually re-enable the port if the device is authorized.
Another common scenario is in conference rooms or public areas where multiple devices may connect temporarily. Here, an engineer might set a higher maximum (e.g., 5 MACs) and use restrict mode to log violations without disrupting connectivity. This allows guests to connect but logs any attempt to exceed the limit, which can be audited later.
A more advanced deployment involves using sticky MAC addresses on ports that connect to IP phones with a PC behind the phone. In this case, the engineer configures the port with a maximum of 2 MAC addresses (one for the phone, one for the PC), enables sticky learning, and sets the violation mode to restrict. The switch automatically learns the phone and PC MACs and saves them to the config. If a different PC is plugged in, the violation is logged, but the port remains up (restrict mode). This balances security with flexibility.
Misconfigurations can cause serious issues. For example, setting the maximum too low on a port with a VoIP phone will cause the phone to be blocked if the PC behind it tries to send traffic. Also, forgetting to configure aging on a port with sticky addresses can lead to a situation where a MAC address is permanently stuck, even if the device is replaced. Engineers must carefully plan the maximum, violation mode, and aging policies based on the specific use case.
The CCNA 200-301 exam tests port security under objective 2.7 'Configure and verify port security'. You must know the configuration commands, the default values, and the behavior of each violation mode. Expect scenario-based questions where you must choose the correct violation mode for a given requirement, or identify the problem when a port goes err-disabled.
Common wrong answers on the exam:
1. Confusing Protect and Restrict modes: Many candidates think Protect sends a log message, but it does not. Restrict does. Protect silently drops traffic. On the exam, if a question mentions 'log violation' or 'send SNMP trap', the answer must be Restrict, not Protect.
2. Believing that sticky MAC addresses are saved to NVRAM automatically: They are saved only in the running config. You must explicitly copy the running config to startup config to make them persistent. A question might ask 'What happens after a reload?' and the wrong answer is 'Sticky MACs are still present'.
3. Thinking that the default maximum is 0 or unlimited: The default is 1. A question might state 'A port with port security enabled has a default maximum of 0' — that is false.
4. Assuming that errdisable recovery is enabled by default: It is not. You must configure it globally with errdisable recovery cause psecure-violation. Without it, the port stays err-disabled until manually recovered.
Key values to memorize:
Default maximum MAC addresses: 1
Default violation mode: shutdown
Default aging time: 0 (no aging)
Default aging type: absolute
Possible violation modes: protect, restrict, shutdown
Sticky learning is disabled by default.
Port security is disabled by default.
For scenario questions, use this decision rule: If the requirement is to block unauthorized traffic but keep the port up and log the event, choose Restrict. If the requirement is to drop silently without notification, choose Protect. If the requirement is to completely disable the port, choose Shutdown. Also, if a port is err-disabled, check if errdisable recovery is configured; if not, the port must be manually recovered.
Port security limits the number of MAC addresses on a switch port; default maximum is 1.
Three violation modes: Protect (silent drop), Restrict (drop + log), Shutdown (err-disable). Default is Shutdown.
Sticky learning converts dynamic MACs to sticky secure MACs; they are saved in running config only.
Aging can be absolute or inactivity; default aging time is 0 (no aging).
Port security must be enabled per interface with `switchport port-security`.
Errdisable recovery must be explicitly configured for port security violations.
Use `show port-security interface` and `show port-security address` to verify.
These come up on the exam all the time. Here's how to tell them apart.
Protect Mode
Drops frames from unknown MACs silently
No syslog or SNMP trap sent
Violation counter does not increment
Port stays up
Less secure because no alert
Restrict Mode
Drops frames from unknown MACs
Sends syslog and SNMP trap
Violation counter increments
Port stays up
More secure because alert is generated
Mistake
Port security with protect mode sends a syslog message.
Correct
Protect mode silently drops frames from unknown MACs without any notification. Only restrict and shutdown modes send syslog messages.
Candidates often assume any violation generates a log, but protect mode is designed to be silent.
Mistake
Sticky MAC addresses are automatically saved to startup configuration.
Correct
Sticky MAC addresses are stored in the running configuration only. You must copy the running config to startup config (write memory) to make them persistent.
The term 'sticky' implies permanence, but it only means they are converted from dynamic to secure in the running config.
Mistake
The default maximum MAC addresses is 0, meaning no devices are allowed until configured.
Correct
The default maximum is 1. A single MAC address is allowed by default after enabling port security.
Some think the default should be restrictive, but Cisco chose 1 as a sensible default.
Mistake
Errdisable recovery is enabled by default for port security violations.
Correct
Errdisable recovery for port security is disabled by default. You must configure it globally with `errdisable recovery cause psecure-violation` and optionally set the interval.
Many features have errdisable recovery enabled by default (e.g., UDLD), but port security does not.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Dynamic secure MAC addresses are learned dynamically and are not saved to the running configuration. They are lost on reload. Sticky secure MAC addresses are also learned dynamically, but they are converted to secure MAC addresses and added to the running configuration. They are not automatically saved to startup config, but they persist in running config until removed. On reload, if the running config is lost, sticky MACs are gone. To make them permanent, you must copy running config to startup config.
Yes, port security can be configured on a trunk port. However, it is less common because trunks typically carry multiple VLANs and many MAC addresses. The configuration is similar, but you can specify per-VLAN MAC addresses using `switchport port-security mac-address <mac> vlan <vlan>`. The maximum MAC addresses applies to the entire port, not per VLAN. Be cautious because trunk ports often have many devices, so port security may be impractical.
Port security can be configured on individual member ports of an EtherChannel, but it is not recommended. EtherChannel load balancing may cause frames from the same source MAC to arrive on different member ports, triggering violations. It is better to configure port security on the port-channel interface itself, but note that not all platforms support it. Always check the specific platform documentation.
You can manually recover by entering interface configuration mode and issuing `shutdown` followed by `no shutdown`. Alternatively, you can configure automatic recovery using `errdisable recovery cause psecure-violation` and optionally `errdisable recovery interval <seconds>`. Once configured, the port will automatically come up after the interval (default 300 seconds).
Yes. When using a voice VLAN, the switch port typically has two VLANs: one for data (access VLAN) and one for voice. The maximum MAC addresses should be set to at least 2 (one for the phone, one for the PC). The phone's MAC is learned on the voice VLAN, and the PC's MAC on the data VLAN. Both count toward the maximum. You can also configure sticky learning to capture both MACs.
The default violation mode is shutdown. When a violation occurs, the port goes into err-disabled state and stops forwarding traffic. This is the most secure default, but it requires manual or automatic recovery to restore service.
Yes, you can configure static secure MAC addresses (using `switchport port-security mac-address <mac>`) and also allow dynamic learning up to the maximum. The total number of secure MAC addresses (static + dynamic + sticky) cannot exceed the configured maximum. Static addresses are always counted first.
You've just covered Port Security — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?