How to Configure Cisco Port Security on Cisco Catalyst Switches

In this article I am going to be talk about how to configure port security on a Cisco Catalyst switch. Port security feature is one of the first things you can use to secure your network from unauthorized access. This feature limits and identifies MAC addresses of the workstations that can access the port. When secure MAC addresses are assigned to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.

There are three different settings you can configure with port security:

  • Protect which discards the traffic but keeps the port up and does not send a SNMP message.
  • Restrict which discards the traffic and sends a SNMP message but keeps the port up
  • Shutdown which discards the traffic sends a SNMP message and disables the port. (This is the default behavior is no setting is specified).

Configure SwitchPort port security on Cisco Switch

To enable port security on an interface, issue the switchport port-security command per particular interface from interface configuration mode on a Cisco Switch. Switch port Port Security configuration is relatively easy. Find the below configuration example:

1.To enable port security

Cisco-Switch# config t

Cisco-Switch(config)# int fa0/11

Cisco-Switch(config-if)# switchport port-security ?

aging    Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode

Cisco-Switch(config-if)# switchport port-security

Cisco-Switch(config-if)#switchport port-security ###to enable port security###

2.To configure the port to learn only one MAC address, set the maximum to 1

Cisco-Switch(config-if)#switchport port-security maximum 1

3.To add the MAC address to the running configuration.

Cisco-Switch(config-if)#switchport port-security mac-address sticky


Cisco-Switch(config-if)#switchport port-security mac-address 0060.5c4b.cd22

We can add MAC address statically or it will add automatically with sticky command.

4.To automatically shut down if port security is violated.

Cisco-Switch(config-if)#switchport port-security violation shutdown

5.Use the show-mac-address- table command to confirm that Switch has learned the MAC address for the intended devices, in this case PC1.

Cisco-Switch#show mac-address-table

Mac Address Table


Vlan  Mac Address Type  Ports

—- ———– ——– —– ——– ——

20  0060.5c4b.cd22 STATIC Fa0/11

View the status of Switch port security on Cisco Switch

Once you’ve configured port security on interface and switch will record the MAC address of the Ethernet device, which is sent the traffic on that port and secure the port using that address. You can use the show port-security interface fa0/11 command to also verify a security violation with the command.

Cisco-Switch#show port-security interface fa0/11

Port Security : Enabled

Port Status : Secure-shutdown

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address:Vlan : 00E0.F7B0.086E:20

Security Violation Count : 1

Disabling Switch Port Security in Cisco Switch

Find below example how to disable port security in cisco security.We have configured fa0/11 for port security now if you want to disable port security follow these steps

Cisco-Switch# config t

Cisco-Switch(config)# int fa0/11

Cisco-Switch(config-if)# no switchport port-security

Cisco-Switch(config-if)# end

How to Secure Unused Ports on Cisco Switch

Step 1: Disable interface Fa0/10 on Switch.

Enter interface configuration mode for FastEthernet 0/17 and shut down the port.

Cisco-Switch(config)#interface fa0/10


Step 2: Disable interfaces Fa0/1 to Fa0/24 on Switch

Cisco-Switch(config)#interface range fa0/1-24


Video – Configure Switch Port Security on Cisco Catalyst Switches

Filed Under: LAN Security


About the Author:

RSSComments (0)

Trackback URL

Leave a Reply

If you want a picture to show with your comment, go get a Gravatar.