Introduction
Port security is one of the most effective Layer 2 controls you can apply on a Cisco Catalyst switch. It limits which MAC addresses are permitted to send frames through a switch port, and it defines exactly what the switch should do when an unauthorised device connects. Combined with storm control — which caps broadcast, multicast, and unknown-unicast traffic rates — port security forms a critical part of the access-layer hardening strategy at InfraRunBook.
This run book covers the complete lifecycle: from initial feature enablement on individual ports, through violation mode selection, sticky MAC learning, static bindings, recovery from a shutdown event, and storm control thresholds. Every command shown here has been validated on Cisco Catalyst 2960-X, 3750-X, 3850, and 9300 series running IOS 15.x and IOS-XE 16.x/17.x.
Prerequisites
- Switch running Cisco IOS 12.2(25)SE or later, or IOS-XE 3.2.0E or later.
- Ports must be configured as access ports (or explicitly as voice ports) before port security can be enabled. Port security is not supported on trunk ports, routed ports, or EtherChannel member links.
- Enable mode access (
infrarunbook-admin
privilege level 15).
How Port Security Works
When port security is enabled on an interface, the switch builds a table of secure MAC addresses for that port. Any frame arriving from a MAC address not in that table is treated as a violation. The switch can learn secure MACs in three ways:
- Dynamic learning — the switch learns the first N source MAC addresses it sees. These are held in RAM and lost on reload.
- Sticky learning — dynamically learned MACs are automatically written to the running-config (and can be saved to startup-config). They survive interface flaps but are lost on reload unless explicitly saved.
- Static/manual — you explicitly bind a MAC address to the port in configuration. These survive reload.
The maximum number of secure MACs per port defaults to 1. Adjust this based on your environment — for example, a VoIP phone + PC combination may need a maximum of 2.
Enabling Port Security — Basic Configuration
The minimal port security configuration on an access port (
sw-infrarunbook-01, interface GigabitEthernet0/1, VLAN
infrarunbook-prod/ VLAN 10):
sw-infrarunbook-01# configure terminal
sw-infrarunbook-01(config)# interface GigabitEthernet0/1
sw-infrarunbook-01(config-if)# description PC-port-infrarunbook-prod
sw-infrarunbook-01(config-if)# switchport mode access
sw-infrarunbook-01(config-if)# switchport access vlan 10
! Enable port security
sw-infrarunbook-01(config-if)# switchport port-security
! Allow only one MAC address (default — explicit here for clarity)
sw-infrarunbook-01(config-if)# switchport port-security maximum 1
! Violation mode: shutdown (default)
sw-infrarunbook-01(config-if)# switchport port-security violation shutdown
sw-infrarunbook-01(config-if)# end
sw-infrarunbook-01# write memory
With this configuration, the switch allows exactly one source MAC through Gi0/1. The first MAC seen is learned dynamically. If a second device connects (or an attacker spoofs a different MAC), the port is immediately placed into err-disabled state.
Violation Modes in Detail
Cisco IOS/IOS-XE supports three violation actions. Choose the one that matches your operational risk tolerance:
1. Shutdown (default — recommended for most access ports)
The port is placed into err-disabled state. Traffic stops completely. A syslog message and SNMP trap are generated. The violation counter increments.
sw-infrarunbook-01(config-if)# switchport port-security violation shutdown
2. Restrict
The violating frame is dropped. Traffic from known secure MACs continues. A syslog message is generated and the violation counter increments. The port stays up. Use this when you cannot afford an outage but still want visibility.
sw-infrarunbook-01(config-if)# switchport port-security violation restrict
3. Protect
The violating frame is silently dropped. No syslog, no SNMP trap, no counter increment. Traffic from secure MACs continues. Use this only when you specifically want to suppress alerts — for example, on a noisy lab segment. Not recommended for production without additional monitoring.
sw-infrarunbook-01(config-if)# switchport port-security violation protect
Production recommendation: Useshutdownon all user-facing access ports ininfrarunbook-prodandinfrarunbook-mgmtVLANs. Userestricton shared-equipment ports (printers, APs) where brief downtime would cause significant disruption.
Sticky MAC Learning
Sticky learning combines the convenience of dynamic learning with the persistence of static configuration. As users connect, the switch automatically writes their MAC addresses to the running-config. Save with
write memoryand they survive reloads.
sw-infrarunbook-01(config)# interface GigabitEthernet0/2
sw-infrarunbook-01(config-if)# description Workstation-sticky-example
sw-infrarunbook-01(config-if)# switchport mode access
sw-infrarunbook-01(config-if)# switchport access vlan 10
sw-infrarunbook-01(config-if)# switchport port-security
sw-infrarunbook-01(config-if)# switchport port-security maximum 1
sw-infrarunbook-01(config-if)# switchport port-security mac-address sticky
sw-infrarunbook-01(config-if)# switchport port-security violation shutdown
sw-infrarunbook-01(config-if)# end
! After the legitimate device connects, save to survive reload:
sw-infrarunbook-01# write memory
After the device sends its first frame,
show running-config interface GigabitEthernet0/2will show a line similar to:
switchport port-security mac-address sticky 001a.2b3c.4d5e
This MAC is now locked to the port. Any other device triggers a violation.
Static MAC Address Binding
For servers, IP phones, or any device with a known, fixed MAC address, use a static binding. This is the most secure method — no learning phase during which an attacker could get their MAC learned first.
sw-infrarunbook-01(config)# interface GigabitEthernet0/3
sw-infrarunbook-01(config-if)# description Server-PROD-web01-infrarunbook
sw-infrarunbook-01(config-if)# switchport mode access
sw-infrarunbook-01(config-if)# switchport access vlan 10
sw-infrarunbook-01(config-if)# switchport port-security
sw-infrarunbook-01(config-if)# switchport port-security maximum 1
! Bind the server's MAC address explicitly
sw-infrarunbook-01(config-if)# switchport port-security mac-address aabb.cc11.2233
sw-infrarunbook-01(config-if)# switchport port-security violation shutdown
sw-infrarunbook-01(config-if)# end
sw-infrarunbook-01# write memory
Port Security with VoIP Ports (IP Phone + PC)
A Cisco IP phone introduces two MACs on a single port: the phone itself and the downstream PC. Set
maximum 2, allow one MAC on the voice VLAN and one on the data VLAN:
sw-infrarunbook-01(config)# interface GigabitEthernet0/10
sw-infrarunbook-01(config-if)# description VoIP-phone-and-PC-infrarunbook
sw-infrarunbook-01(config-if)# switchport mode access
sw-infrarunbook-01(config-if)# switchport access vlan 10
sw-infrarunbook-01(config-if)# switchport voice vlan 20
! Allow phone MAC + PC MAC
sw-infrarunbook-01(config-if)# switchport port-security maximum 2
! Optionally: allow only 1 MAC on the voice VLAN
sw-infrarunbook-01(config-if)# switchport port-security maximum 1 vlan voice
! Allow only 1 MAC on the data VLAN
sw-infrarunbook-01(config-if)# switchport port-security maximum 1 vlan access
sw-infrarunbook-01(config-if)# switchport port-security
sw-infrarunbook-01(config-if)# switchport port-security mac-address sticky
sw-infrarunbook-01(config-if)# switchport port-security violation restrict
sw-infrarunbook-01(config-if)# end
sw-infrarunbook-01# write memory
Applying Port Security to a Range of Interfaces
In a production deployment you typically harden a full access block at once. Use
interface range:
sw-infrarunbook-01(config)# interface range GigabitEthernet0/1 - 24
sw-infrarunbook-01(config-if-range)# switchport mode access
sw-infrarunbook-01(config-if-range)# switchport access vlan 10
sw-infrarunbook-01(config-if-range)# switchport port-security
sw-infrarunbook-01(config-if-range)# switchport port-security maximum 1
sw-infrarunbook-01(config-if-range)# switchport port-security mac-address sticky
sw-infrarunbook-01(config-if-range)# switchport port-security violation shutdown
sw-infrarunbook-01(config-if-range)# end
sw-infrarunbook-01# write memory
Verifying Port Security
Always verify after configuration. These commands cover both per-port detail and switch-wide summaries:
Summary across all secure ports
sw-infrarunbook-01# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/1 1 1 0 Shutdown
Gi0/2 1 1 0 Shutdown
Gi0/3 1 1 0 Shutdown
Gi0/10 2 2 0 Restrict
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
Per-interface detail
sw-infrarunbook-01# show port-security interface GigabitEthernet0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 001a.2b3c.4d5e:10
Security Violation Count : 0
Secure MAC address table
sw-infrarunbook-01# show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
10 001a.2b3c.4d5e SecureSticky Gi0/1 -
10 aabb.cc11.2233 SecureConfigured Gi0/3 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 4096
Recovering from an Err-Disabled Port
When violation mode is
shutdown, the port enters err-disabled state after a violation. You must manually re-enable it (or configure automatic recovery).
Manual recovery
sw-infrarunbook-01# show interfaces GigabitEthernet0/1 status
Port Name Status Vlan Duplex Speed Type
Gi0/1 PC-port-infrarunbook-prod err-disabled 10 auto auto 10/100/1000BaseTX
sw-infrarunbook-01# configure terminal
sw-infrarunbook-01(config)# interface GigabitEthernet0/1
sw-infrarunbook-01(config-if)# shutdown
sw-infrarunbook-01(config-if)# no shutdown
sw-infrarunbook-01(config-if)# end
Automatic recovery (optional — use with caution)
Automatic recovery re-enables the port after a configurable timer. Use only on well-monitored environments:
sw-infrarunbook-01(config)# errdisable recovery cause psecure-violation
sw-infrarunbook-01(config)# errdisable recovery interval 300
The port will automatically re-enable after 300 seconds. Check recovery status with:
sw-infrarunbook-01# show errdisable recovery
Storm Control
Storm control limits the rate of broadcast, multicast, and unknown-unicast frames on an interface. A broadcast storm — whether caused by a misconfigured device, a Layer 2 loop, or a malicious host — can saturate a 1 Gbps link within seconds. Storm control is your hardware-level protection.
Configuring storm control by percentage of bandwidth
sw-infrarunbook-01(config)# interface GigabitEthernet0/1
sw-infrarunbook-01(config-if)# storm-control broadcast level 20 10
! Rising threshold: 20% — suppress when broadcast exceeds 20% of bandwidth
! Falling threshold: 10% — resume normal forwarding when it drops below 10%
sw-infrarunbook-01(config-if)# storm-control multicast level 10 5
sw-infrarunbook-01(config-if)# storm-control unknown-unicast level 10 5
! Action when threshold exceeded: shutdown port (alternatively: trap)
sw-infrarunbook-01(config-if)# storm-control action shutdown
! Or: sw-infrarunbook-01(config-if)# storm-control action trap
sw-infrarunbook-01(config-if)# end
Configuring storm control by packets-per-second (pps)
sw-infrarunbook-01(config)# interface GigabitEthernet0/2
sw-infrarunbook-01(config-if)# storm-control broadcast level pps 1000 500
! Rising: suppress above 1000 pps; Falling: resume below 500 pps
sw-infrarunbook-01(config-if)# storm-control action shutdown
sw-infrarunbook-01(config-if)# end
Verifying storm control
sw-infrarunbook-01# show storm-control GigabitEthernet0/1
Interface Filter State Upper Lower Current
--------- ------------ ----------- ----------- ----------
Gi0/1 Forwarding 20.00% 10.00% 0.00%
Gi0/1 Forwarding 10.00% 5.00% 0.00%
Gi0/1 Forwarding 10.00% 5.00% 0.00%
MAC Address Aging
By default, dynamically learned (non-sticky) secure MAC addresses never age out. You can configure an aging time to automatically remove learned MACs after a period of inactivity — useful on hot-desk environments where devices change frequently:
sw-infrarunbook-01(config)# interface GigabitEthernet0/5
sw-infrarunbook-01(config-if)# switchport port-security aging time 60
! Remove dynamic secure MACs not seen for 60 minutes
sw-infrarunbook-01(config-if)# switchport port-security aging type inactivity
! 'absolute' ages out after fixed time regardless of activity
! 'inactivity' ages out only if MAC is not seen within the window
sw-infrarunbook-01(config-if)# end
Note: Sticky and static secure MACs do not age out regardless of the aging configuration unless you explicitly remove them.
Complete Reference: All Port Security Commands
! Enable port security
switchport port-security
! Set maximum secure MACs (1–8192 depending on platform)
switchport port-security maximum
! Per-VLAN maximum (Catalyst 3750/3850/9300)
switchport port-security maximum vlan access
switchport port-security maximum vlan voice
! Violation mode
switchport port-security violation { protect | restrict | shutdown }
! Sticky learning
switchport port-security mac-address sticky
! Static binding
switchport port-security mac-address [vlan ]
! MAC aging
switchport port-security aging time <0-1440>
switchport port-security aging type { absolute | inactivity }
! Verification
show port-security
show port-security interface
show port-security address
show errdisable recovery
show interfaces status
Frequently Asked Questions
Q: Can I enable port security on a trunk port?
A: No. Port security is only supported on access ports and voice ports. Attempting to enable it on a trunk port will return an error: "Port security is not supported on trunk ports." If you need to restrict traffic on a trunk, use 802.1X or VLAN-based access control instead.
Q: Can I enable port security on an EtherChannel member port?
A: No. Port security is not supported on ports that are members of a port-channel (EtherChannel). Apply security at the logical port-channel level using other mechanisms such as 802.1X or DHCP snooping.
Q: What is the difference between sticky and static secure MACs?
A: Static MACs are manually configured by the administrator and are immediately persistent in the running-config. Sticky MACs are learned dynamically by the switch and written to the running-config automatically when the device connects. Both survive a reload if you save the running-config with
write memory, but sticky MACs require a device to connect first before they are recorded.
Q: How many secure MAC addresses can I configure per port on a Catalyst 9300?
A: On Catalyst 9300 series, the maximum is 3,072 secure MACs per port, with a system-wide maximum of 65,535. On Catalyst 2960-X the per-port maximum is 132 and the system maximum is 8,192. Always consult the platform-specific datasheet for exact limits.
Q: Will port security prevent MAC flooding attacks?
A: Yes, effectively. MAC flooding attacks send thousands of frames with different source MACs to fill the CAM table, causing the switch to flood all traffic as unknown-unicast. With port security and
maximum 1(or a small number), the switch drops frames from MAC addresses beyond the limit and keeps the CAM table stable on that port.
Q: If a port goes err-disabled due to a port security violation, does the secure MAC table get cleared?
A: The secure MAC addresses configured as sticky or static remain in the running-config. Dynamic (non-sticky) entries are cleared when the port goes err-disabled. After manually recovering the port with
shutdown/
no shutdown, sticky and static entries are immediately re-applied.
Q: How do I clear all dynamically learned secure MACs on a port without disabling port security?
A: Use the privileged EXEC command:
clear port-security dynamic interface GigabitEthernet0/1. To clear a specific MAC:
clear port-security dynamic address <mac-address>. This does not affect sticky or static entries.
Q: What syslog message is generated when a port security violation occurs?
A: For
shutdownmode you will see: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address <mac> on port GigabitEthernet0/1. followed by %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/1, putting Gi0/1 in err-disable state. Configure your syslog server (e.g.,
logging host 10.10.99.5) to capture these messages centrally.
Q: Does storm control work alongside port security?
A: Yes. They are independent features and complement each other. Port security controls which source MACs are allowed; storm control limits the rate of broadcast/multicast/unknown-unicast traffic. Both can be active simultaneously on the same interface.
Q: What storm control thresholds should I use in production?
A: A conservative starting point for user-access ports is: broadcast 20%/10%, multicast 10%/5%, unknown-unicast 10%/5%, with action
shutdown. On high-density wireless or IP storage segments, raise thresholds or switch to
trap(alert only). Always monitor
show storm-controlafter initial deployment and tune based on observed baseline traffic before enforcing shutdown.
Q: How do I check if any ports currently have violation counts greater than zero?
A: Run
show port-security | include [1-9][0-9]*or simply review the SecurityViolation column in
show port-security. Any non-zero count in that column indicates a violation event has occurred on that port and should be investigated promptly.