![How to Lock Down Cisco Switch Ports with Port Security (2025 Guide)[CCNP ENTERPRISE]](https://networkjourney.com/wp-content/uploads/2025/06/nj-blog-post-portsec-switchport.jpg)
Today I’m breaking down a simple yet powerful security mechanism every network admin should understand — Port Security on Cisco switches. Whether you’re working on a small LAN setup or enterprise-grade infrastructure, enforcing MAC address-level access at the port can go a long way in preventing unauthorized access and network abuse.
Let’s explore this with theory, examples, labs, and real-world use cases.
Table of Contents
Theory in Brief: What is Port Security?
Port Security is a Layer 2 security feature used on Cisco switches to restrict input to an interface by limiting and identifying the MAC addresses of the stations allowed to access the port.
Key Capabilities:
- Allow only specific MAC addresses.
- Automatically learn and limit MACs on a port.
- Define violation actions (Shutdown, Restrict, Protect).
This is especially useful in access-layer switches to prevent rogue devices from plugging into your network.
Port Security Modes and Actions
| Mode/Command | Description |
|---|---|
switchport port-security | Enables port security on the interface |
maximum <n> | Limits the number of MAC addresses |
mac-address sticky | Learns MAC dynamically and saves in config |
Violation: shutdown | Port is disabled on violation |
Violation: restrict | Drops packet, logs violation |
Violation: protect | Drops packet silently |
Pros and Cons
| Pros | Cons |
| Enhances access port-level security | Configuration overhead in large networks |
| Prevents unauthorized device access | Can cause outage if misconfigured |
| Supports dynamic MAC learning with sticky | Limited visibility in protect mode |
Essential CLI Commands
| Task | Command |
| Enable port security | switchport port-security |
| Set max MAC addresses | switchport port-security maximum 1 |
| Use sticky MAC address | switchport port-security mac-address sticky |
| Set violation mode | switchport port-security violation shutdown |
| Show port security summary | show port-security |
| Show interface-specific security details | show port-security interface fa0/1 |
| Clear sticky MAC | clear port-security sticky interface fa0/1 |
Real-World Use Cases
| Scenario | How Port Security Helps |
| Prevent rogue laptop plugging in | Restricts access based on MAC address |
| Lock printers to a specific switch port | Ensures printer MAC always bound to same port |
| Protect sensitive VLANs | Blocks unrecognized MACs from joining VLANs |
Lab 1: Basic Port Security
Topology:
Objective:
Allow only PC1’s MAC on port Fa0/1 and shut down if another device connects.
Configuration:
interface fa0/1 switchport mode access switchport access vlan 10 switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security violation shutdown
Use this to test behavior when PC2 plugs into Fa0/1.
Lab 2: Port Security with Restrict Mode
Objective:
Test violation mode restrict to block unknown MACs while logging violations.
Commands:
interface fa0/2 switchport mode access switchport access vlan 20 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict
Use show port-security and show port-security interface fa0/2 to verify violations.
Lab 3: Sticky MAC Retention
Scenario:
- Allow up to 2 devices using sticky MAC.
- Save learned MACs into running config.
Commands:
interface fa0/3 switchport mode access switchport access vlan 30 switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security violation protect
Save config using copy run start to retain sticky MACs after reboot.
Troubleshooting Tips
| Issue | Cause | Fix |
| Port goes down suddenly | Violation mode is shutdown | Use errdisable recovery or re-enable interface manually |
| MAC not learned dynamically | Sticky not configured properly | Check for mac-address sticky in config |
| New device not connecting | Max MAC limit reached | Clear old sticky entries or increase max limit |
| No logs for port security events | Violation mode is set to protect | Use restrict or shutdown mode for visibility |
FAQs: Port Security
1. What is Cisco Port Security and why is it important?
Answer: Port Security is a feature on Cisco switches that restricts input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. It enhances network security by preventing unauthorized devices from connecting to the network, thereby mitigating risks like MAC flooding or rogue device access.
2. How many MAC addresses can be allowed on a port using Port Security?
Answer: You can configure a Cisco switch port to allow up to 132 secure MAC addresses per port depending on the hardware model. These addresses can be manually configured or dynamically learned and stored in the address table.
3. What are the different violation modes in Port Security?
Answer: Cisco supports three violation modes:
- Protect: Drops packets from unknown MACs but doesn’t log the violation.
- Restrict: Drops packets and logs the violation; can trigger SNMP traps.
- Shutdown: Disables the port immediately on violation (default mode); must be manually or automatically brought back up.
4. How do I enable Port Security on a switch port?
Answer:
interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky
This configuration limits the port to 2 MACs, learns them dynamically, and shuts the port down on violations.
5. What is Sticky MAC in Port Security?
Answer: Sticky MAC dynamically learns MAC addresses and saves them in the running config. When saved to the startup config, these MACs become permanent and persistent even after a reboot. This combines the flexibility of dynamic learning with the control of static MACs.
6. How can I recover a port that has been disabled due to a security violation?
Answer: If a port is in an err-disabled state, use the following command:
interface FastEthernet0/1 shutdown no shutdown
Or configure errdisable recovery globally to automate port recovery:
errdisable recovery cause security-violation errdisable recovery interval 300
7. How do I verify if Port Security is working?
Answer: Use the following commands:
show port-security– Displays summary of all interfaces.show port-security interface fa0/1– Shows detailed info per interface.show mac address-table secure– Lists all secure MAC addresses.
8. Can I use Port Security on trunk ports?
Answer: No. Port Security is designed for access ports only. Trunk ports carry traffic for multiple VLANs and are not suitable for MAC restriction through Port Security.
9. What happens if a device tries to spoof a MAC address on a secured port?
Answer: If the spoofed MAC is not in the allowed list and exceeds the configured limit, the violation mode will take effect (drop, restrict, or shutdown). In shutdown mode, the port will go into err-disabled, effectively cutting off access.
10. Is Port Security enough to secure a switch port completely?
Answer: While Port Security adds a strong layer of defense, it should be used alongside other security features like BPDU Guard, DHCP Snooping, Dynamic ARP Inspection (DAI), and Access Control Lists (ACLs) to achieve comprehensive Layer 2 port security.
Related YouTube Video
Final Note
Understanding how to differentiate and implement How to Lock Down Cisco Switch Ports with Port Security in Modern Networks is critical for anyone pursuing CCNP Enterprise (ENCOR) certification or working in enterprise network roles. Use this guide in your practice labs, real-world projects, and interviews to show a solid grasp of architectural planning and CLI-level configuration skills.
If you found this article helpful and want to take your skills to the next level, I invite you to join my Instructor-Led Weekend Batch for:
CCNP Enterprise to CCIE Enterprise – Covering ENCOR, ENARSI, SD-WAN, and more!
Get hands-on labs, real-world projects, and industry-grade training that strengthens your Routing & Switching foundations while preparing you for advanced certifications and job roles.
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088
Upskill now and future-proof your networking career!
![Default Route Propagation – Your Gateway to the World [CCNP ENTERPRISE]_networkjourney](https://networkjourney.com/wp-content/uploads/2025/07/Default-Route-Propagation-–-Your-Gateway-to-the-World-CCNP-ENTERPRISE.png)
![iBGP vs eBGP Differences – A Deep Dive with Real-World Examples [ CCNP ENTERPRISE ]_networkjourney](https://networkjourney.com/wp-content/uploads/2025/06/iBGP-vs-eBGP-Differences-–-A-Deep-Dive-with-Real-World-Examples.png)
![Mastering STP Tuning: Optimizing Priority & Path Cost for Smarter Network Redundancy [CCNP ENTERPRISE]](https://networkjourney.com/wp-content/uploads/2025/06/Mastering-STP-Tuning_Optimizing-Priority_Path-Cost-for-Smarter-Network-Redundancy_networkjourney.png)