It used to be that all a user needs to do to gain access to a network is to just connect to a switch port, but as network experience growth and as confidential information traverse the network it becomes imperative to restrict what users receive and have access to.

There are various methods employed by catalyst switches to secure or control user access, users can be authenticated as they connect to or through a switch and can be authorized to perform certain actions on a switch. The physical port can also be controlled based on the users MAC address or authentication.

Port security is a feature on Cisco catalyst switches that controls access to a switch port based on client MAC address, it’s configured on a per-port basis. To enable port security on a switch use the following command

Switch(config-if)#switchport port-security

A number of allowed MAC addresses is then identified so they can be granted access. By default, only one MAC address is allowed. The maximum number of allowed MAC address can be set up to 1024.

Switch(config-if)#switchport port-security maximum max-addr

To allow a maximum of 5 MAC addresses the configuration goes thus:

Switch(config-if)#switchport port-security maximum 5

MAC addresses can either be dynamically learned or statically configured. They are dynamically learned when a host connects to a switch and transmit frames on an interface. This is the default behavior of all switches. These addresses are stored in the Content Address Memory (CAM) table and also in running configuration.

When a switch reboots dynamically learned addresses are deleted from the CAM table and port security will have to relearn new set of addresses. If for example a port is configured to allow only 2 MAC addresses and then the switch reboots for some reasons, port security will have to relearn another set of addresses because it no longer have the record of the addresses it learnt before the reboot.

To make dynamically learned addresses survive a switch reboot the “sticky” address learning is enabled. This ensures that MAC addresses are retained in the CAM table after a switch reboot.

Switch(config-if)#switchport port-security mac-address sticky

Statically learned addresses are those manually configured on an interface to be allowed access to the network through the port. To statically define a MAC address the following configuration command is used.

Switch(config-if)#switchport port-security mac-address mac-address

For example, to statically map a device with address 0002.168D.138A to interface f0/3, use the following command.

intfo3 edited

If the number of static addresses configured is less than the maximum number of addresses secured on a port, the remaining addresses are learned dynamically.

Violations do and will occur. A violation occurs if more than the maximum number of MAC addresses are learned or if an unknown (not statically defined) MAC address attempts to transmit on the port. The switch port takes one of the following configured actions when a violation is detected:

  1. Shutdown: The port immediately is put into the errdisable state, which effectively shuts it down. It must be reenabled manually or through errdisable recovery to be used again.
  1. Restrict: The port is allowed to stay up, but all packets from violating MAC addresses are dropped. The switch keeps a running count of the number of violating packets and can send an SNMP trap and a syslog message as an alert of the violation.
  1. Protect: The port is allowed to stay up, as in the restrict mode. Although packets from violating addresses are dropped, no record of the violation is kept.

The configuration command to tell a switch interface how to react to violation is

Switch(config-if)# switchport port-security violation {shutdown | restrict |


To configure a port to shutdown when the maximum number of address is exceeded, use the following command

Switch(config-if)#switchport port-security violation shutdown


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s