Port Security on a Cisco Switch

Port SecurityIn order to control what machines are plugged into your network, Cisco introduced the “switchport port-security” command.

In this tutorial I’m going to explain how to use this command, and different options available using it.

Below is the breakdown of the commands I used in the live demo, and an explanation of each.

AOIP.ORG_Switch# terminal monitor

Since I was connected to my switch via telnet, and I knew there were going to be messages from the switch, I needed to configure Terminal Monitor so I would have these messages sent to my telnet session. By default when connected to a Cisco device via telnet or ssh, no messages will be displayed to your terminal.

AOIP.ORG_Switch(config)# interface fa0/6

Enter the interface that I wish to configure the port security on

AOIP.ORG_Switch(config-if)# switchport mode access

In order for port security to be used, the port MUST be an access port, this command defines that

AOIP.ORG_Switch(config-if)# switchport port-security

This enables the port security feature, and allows me to define the commands below.

AOIP.ORG_Switch(config-if)# switchport port-security maximum 1

I have chosen to only allow 1 mac-address to be learned on this port. At any point if more than 1 mac address was to be discovered, the violation action I define will come into effect.

AOIP.ORG_Switch(config-if)# switchport port-security mac-address aaaa.bbbb.cccc

I have further secured the switch port by defining what mac address is allowed to be learned on this port. If a machine is plugged into this port that does NOT have this mac-address, the violation action will take effect.

AOIP.ORG_Switch(config-if)# switchport port-security violation shutdown

I have 3 choices when defining the violation action

1. protect – The switch will drop packets until the violation has been removed

              2. restrict – This is the same as protect, however it also causes the Security/Violation counter to increment

              3. shutdown – This will put the interface into a error-disabled state and send an SNMP trap notification

I have chosen the more harsh of the options, and the port will be shut if any of my conditions (more than 1 mac address is learned on the port, and if that one mac address is not aaaa.bbbb.cccc)

AOIP.ORG_Switch(config-if)# exit

Exit interface mode

AOIP.ORG_Switch(config)# exit

Exit global configuration mode

AOIP.ORG_Switch# show port-security interface f 0/6

The first time I run this command in the live demo below, there are no violations recorded. Shortly afterwards, I plugged a device into port f0/6 that DID NOT have the mac address aaaa.bbbb.cccc which caused a violation. You will notice I received error messages on screen (thanks to terminal monitor), and when I run the show port-security command again, you will notice the violation count has incremented.



Additional commands I could have used are.

AOIP.ORG_Switch(config-if)# switchport port-security aging time 5

If you have configured the switch to allow 5 mac addresses to be learned dynamically, those addresses will be kept in the database until the aging time has expired. This command will set the aging time to 5 minutes, which overrides my switches default value of 20 minutes.

AOIP.ORG_Switch(config-if)# no switchport port-security aging

This will DISABLE the aging time.


In order to activate a port that has been put into ‘error-disabled’ state. Shut the port, and no shut it afterwards. If the violation has not been removed, the port will revert back to error-disabled.

Below is the live demo.


Leave a Reply

Your email address will not be published. Required fields are marked *