InfraRunBook
    Back to articles

    Cisco Catalyst Port Security: MAC Address Limiting, Violation Modes, Sticky MAC, and Storm Control

    Cisco
    Published: Feb 27, 2026
    Updated: Apr 13, 2026

    A complete production run book for configuring Cisco Catalyst port security — covering MAC address limiting, violation modes (protect, restrict, shutdown), sticky MAC learning, static bindings,...

    Cisco Catalyst Port Security: MAC Address Limiting, Violation Modes, Sticky MAC, and Storm Control

    Introduction

    Port security is one of the most effective Layer 2 controls you can apply on a Cisco Catalyst switch. It limits which MAC addresses are permitted to send frames through a switch port, and it defines exactly what the switch should do when an unauthorised device connects. Combined with storm control — which caps broadcast, multicast, and unknown-unicast traffic rates — port security forms a critical part of the access-layer hardening strategy at InfraRunBook.

    This run book covers the complete lifecycle: from initial feature enablement on individual ports, through violation mode selection, sticky MAC learning, static bindings, recovery from a shutdown event, and storm control thresholds. Every command shown here has been validated on Cisco Catalyst 2960-X, 3750-X, 3850, and 9300 series running IOS 15.x and IOS-XE 16.x/17.x.

    Prerequisites

    • Switch running Cisco IOS 12.2(25)SE or later, or IOS-XE 3.2.0E or later.
    • Ports must be configured as access ports (or explicitly as voice ports) before port security can be enabled. Port security is not supported on trunk ports, routed ports, or EtherChannel member links.
    • Enable mode access (
      infrarunbook-admin
      privilege level 15).

    How Port Security Works

    When port security is enabled on an interface, the switch builds a table of secure MAC addresses for that port. Any frame arriving from a MAC address not in that table is treated as a violation. The switch can learn secure MACs in three ways:

    1. Dynamic learning — the switch learns the first N source MAC addresses it sees. These are held in RAM and lost on reload.
    2. Sticky learning — dynamically learned MACs are automatically written to the running-config (and can be saved to startup-config). They survive interface flaps but are lost on reload unless explicitly saved.
    3. Static/manual — you explicitly bind a MAC address to the port in configuration. These survive reload.

    The maximum number of secure MACs per port defaults to 1. Adjust this based on your environment — for example, a VoIP phone + PC combination may need a maximum of 2.

    Enabling Port Security — Basic Configuration

    The minimal port security configuration on an access port (

    sw-infrarunbook-01
    , interface GigabitEthernet0/1, VLAN
    infrarunbook-prod
    / VLAN 10):

    sw-infrarunbook-01# configure terminal

sw-infrarunbook-01(config)# interface GigabitEthernet0/1
sw-infrarunbook-01(config-if)# description PC-port-infrarunbook-prod
sw-infrarunbook-01(config-if)# switchport mode access
sw-infrarunbook-01(config-if)# switchport access vlan 10

! Enable port security
sw-infrarunbook-01(config-if)# switchport port-security

! Allow only one MAC address (default — explicit here for clarity)
sw-infrarunbook-01(config-if)# switchport port-security maximum 1

! Violation mode: shutdown (default)
sw-infrarunbook-01(config-if)# switchport port-security violation shutdown

sw-infrarunbook-01(config-if)# end
sw-infrarunbook-01# write memory

    With this configuration, the switch allows exactly one source MAC through Gi0/1. The first MAC seen is learned dynamically. If a second device connects (or an attacker spoofs a different MAC), the port is immediately placed into err-disabled state.

    Violation Modes in Detail

    Cisco IOS/IOS-XE supports three violation actions. Choose the one that matches your operational risk tolerance:

    1. Shutdown (default — recommended for most access ports)

    The port is placed into err-disabled state. Traffic stops completely. A syslog message and SNMP trap are generated. The violation counter increments.

    sw-infrarunbook-01(config-if)# switchport port-security violation shutdown

    2. Restrict

    The violating frame is dropped. Traffic from known secure MACs continues. A syslog message is generated and the violation counter increments. The port stays up. Use this when you cannot afford an outage but still want visibility.

    sw-infrarunbook-01(config-if)# switchport port-security violation restrict

    3. Protect

    The violating frame is silently dropped. No syslog, no SNMP trap, no counter increment. Traffic from secure MACs continues. Use this only when you specifically want to suppress alerts — for example, on a noisy lab segment. Not recommended for production without additional monitoring.

    sw-infrarunbook-01(config-if)# switchport port-security violation protect
    Production recommendation: Use
    shutdown
    on all user-facing access ports in
    infrarunbook-prod
    and
    infrarunbook-mgmt
    VLANs. Use
    restrict
    on shared-equipment ports (printers, APs) where brief downtime would cause significant disruption.

    Sticky MAC Learning

    Sticky learning combines the convenience of dynamic learning with the persistence of static configuration. As users connect, the switch automatically writes their MAC addresses to the running-config. Save with

    write memory
    and they survive reloads.

    sw-infrarunbook-01(config)# interface GigabitEthernet0/2
sw-infrarunbook-01(config-if)# description Workstation-sticky-example
sw-infrarunbook-01(config-if)# switchport mode access
sw-infrarunbook-01(config-if)# switchport access vlan 10
sw-infrarunbook-01(config-if)# switchport port-security
sw-infrarunbook-01(config-if)# switchport port-security maximum 1
sw-infrarunbook-01(config-if)# switchport port-security mac-address sticky
sw-infrarunbook-01(config-if)# switchport port-security violation shutdown
sw-infrarunbook-01(config-if)# end

! After the legitimate device connects, save to survive reload:
sw-infrarunbook-01# write memory

    After the device sends its first frame,

    show running-config interface GigabitEthernet0/2
    will show a line similar to:

    switchport port-security mac-address sticky 001a.2b3c.4d5e

    This MAC is now locked to the port. Any other device triggers a violation.

    Static MAC Address Binding

    For servers, IP phones, or any device with a known, fixed MAC address, use a static binding. This is the most secure method — no learning phase during which an attacker could get their MAC learned first.

    sw-infrarunbook-01(config)# interface GigabitEthernet0/3
sw-infrarunbook-01(config-if)# description Server-PROD-web01-infrarunbook
sw-infrarunbook-01(config-if)# switchport mode access
sw-infrarunbook-01(config-if)# switchport access vlan 10
sw-infrarunbook-01(config-if)# switchport port-security
sw-infrarunbook-01(config-if)# switchport port-security maximum 1

! Bind the server's MAC address explicitly
sw-infrarunbook-01(config-if)# switchport port-security mac-address aabb.cc11.2233

sw-infrarunbook-01(config-if)# switchport port-security violation shutdown
sw-infrarunbook-01(config-if)# end
sw-infrarunbook-01# write memory

    Port Security with VoIP Ports (IP Phone + PC)

    A Cisco IP phone introduces two MACs on a single port: the phone itself and the downstream PC. Set

    maximum 2
    , allow one MAC on the voice VLAN and one on the data VLAN:

    sw-infrarunbook-01(config)# interface GigabitEthernet0/10
sw-infrarunbook-01(config-if)# description VoIP-phone-and-PC-infrarunbook
sw-infrarunbook-01(config-if)# switchport mode access
sw-infrarunbook-01(config-if)# switchport access vlan 10
sw-infrarunbook-01(config-if)# switchport voice vlan 20

! Allow phone MAC + PC MAC
sw-infrarunbook-01(config-if)# switchport port-security maximum 2

! Optionally: allow only 1 MAC on the voice VLAN
sw-infrarunbook-01(config-if)# switchport port-security maximum 1 vlan voice

! Allow only 1 MAC on the data VLAN
sw-infrarunbook-01(config-if)# switchport port-security maximum 1 vlan access

sw-infrarunbook-01(config-if)# switchport port-security
sw-infrarunbook-01(config-if)# switchport port-security mac-address sticky
sw-infrarunbook-01(config-if)# switchport port-security violation restrict
sw-infrarunbook-01(config-if)# end
sw-infrarunbook-01# write memory

    Applying Port Security to a Range of Interfaces

    In a production deployment you typically harden a full access block at once. Use

    interface range
    :

    sw-infrarunbook-01(config)# interface range GigabitEthernet0/1 - 24
sw-infrarunbook-01(config-if-range)# switchport mode access
sw-infrarunbook-01(config-if-range)# switchport access vlan 10
sw-infrarunbook-01(config-if-range)# switchport port-security
sw-infrarunbook-01(config-if-range)# switchport port-security maximum 1
sw-infrarunbook-01(config-if-range)# switchport port-security mac-address sticky
sw-infrarunbook-01(config-if-range)# switchport port-security violation shutdown
sw-infrarunbook-01(config-if-range)# end
sw-infrarunbook-01# write memory

    Verifying Port Security

    Always verify after configuration. These commands cover both per-port detail and switch-wide summaries:

    Summary across all secure ports

    sw-infrarunbook-01# show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi0/1              1            1                  0         Shutdown
      Gi0/2              1            1                  0         Shutdown
      Gi0/3              1            1                  0         Shutdown
     Gi0/10              2            2                  0         Restrict
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

    Per-interface detail

    sw-infrarunbook-01# show port-security interface GigabitEthernet0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 001a.2b3c.4d5e:10
Security Violation Count   : 0

    Secure MAC address table

    sw-infrarunbook-01# show port-security address
               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan    Mac Address       Type                          Ports   Remaining Age
                                                                   (mins)
----    -----------       ----                          -----   -------------
  10    001a.2b3c.4d5e    SecureSticky                  Gi0/1        -
  10    aabb.cc11.2233    SecureConfigured              Gi0/3        -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 1
Max Addresses limit in System (excluding one mac per port) : 4096

    Recovering from an Err-Disabled Port

    When violation mode is

    shutdown
    , the port enters err-disabled state after a violation. You must manually re-enable it (or configure automatic recovery).

    Manual recovery

    sw-infrarunbook-01# show interfaces GigabitEthernet0/1 status
Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1     PC-port-infrarunbook-prod  err-disabled 10   auto    auto  10/100/1000BaseTX

sw-infrarunbook-01# configure terminal
sw-infrarunbook-01(config)# interface GigabitEthernet0/1
sw-infrarunbook-01(config-if)# shutdown
sw-infrarunbook-01(config-if)# no shutdown
sw-infrarunbook-01(config-if)# end

    Automatic recovery (optional — use with caution)

    Automatic recovery re-enables the port after a configurable timer. Use only on well-monitored environments:

    sw-infrarunbook-01(config)# errdisable recovery cause psecure-violation
sw-infrarunbook-01(config)# errdisable recovery interval 300

    The port will automatically re-enable after 300 seconds. Check recovery status with:

    sw-infrarunbook-01# show errdisable recovery

    Storm Control

    Storm control limits the rate of broadcast, multicast, and unknown-unicast frames on an interface. A broadcast storm — whether caused by a misconfigured device, a Layer 2 loop, or a malicious host — can saturate a 1 Gbps link within seconds. Storm control is your hardware-level protection.

    Configuring storm control by percentage of bandwidth

    sw-infrarunbook-01(config)# interface GigabitEthernet0/1
sw-infrarunbook-01(config-if)# storm-control broadcast level 20 10
! Rising threshold: 20% — suppress when broadcast exceeds 20% of bandwidth
! Falling threshold: 10% — resume normal forwarding when it drops below 10%

sw-infrarunbook-01(config-if)# storm-control multicast level 10 5
sw-infrarunbook-01(config-if)# storm-control unknown-unicast level 10 5

! Action when threshold exceeded: shutdown port (alternatively: trap)
sw-infrarunbook-01(config-if)# storm-control action shutdown
! Or: sw-infrarunbook-01(config-if)# storm-control action trap

sw-infrarunbook-01(config-if)# end

    Configuring storm control by packets-per-second (pps)

    sw-infrarunbook-01(config)# interface GigabitEthernet0/2
sw-infrarunbook-01(config-if)# storm-control broadcast level pps 1000 500
! Rising: suppress above 1000 pps; Falling: resume below 500 pps
sw-infrarunbook-01(config-if)# storm-control action shutdown
sw-infrarunbook-01(config-if)# end

    Verifying storm control

    sw-infrarunbook-01# show storm-control GigabitEthernet0/1
Interface  Filter State  Upper         Lower         Current
---------  ------------  -----------   -----------   ----------
Gi0/1      Forwarding     20.00%        10.00%         0.00%
Gi0/1      Forwarding     10.00%         5.00%         0.00%
Gi0/1      Forwarding     10.00%         5.00%         0.00%

    MAC Address Aging

    By default, dynamically learned (non-sticky) secure MAC addresses never age out. You can configure an aging time to automatically remove learned MACs after a period of inactivity — useful on hot-desk environments where devices change frequently:

    sw-infrarunbook-01(config)# interface GigabitEthernet0/5
sw-infrarunbook-01(config-if)# switchport port-security aging time 60
! Remove dynamic secure MACs not seen for 60 minutes

sw-infrarunbook-01(config-if)# switchport port-security aging type inactivity
! 'absolute' ages out after fixed time regardless of activity
! 'inactivity' ages out only if MAC is not seen within the window
sw-infrarunbook-01(config-if)# end
    Note: Sticky and static secure MACs do not age out regardless of the aging configuration unless you explicitly remove them.

    Complete Reference: All Port Security Commands

    ! Enable port security
switchport port-security

! Set maximum secure MACs (1–8192 depending on platform)
switchport port-security maximum 

! Per-VLAN maximum (Catalyst 3750/3850/9300)
switchport port-security maximum  vlan access
switchport port-security maximum  vlan voice

! Violation mode
switchport port-security violation { protect | restrict | shutdown }

! Sticky learning
switchport port-security mac-address sticky

! Static binding
switchport port-security mac-address  [vlan ]

! MAC aging
switchport port-security aging time <0-1440>
switchport port-security aging type { absolute | inactivity }

! Verification
show port-security
show port-security interface 
show port-security address
show errdisable recovery
show interfaces  status

    Related Articles

    Frequently Asked Questions

    Can I enable port security on a trunk port?

    No. Port security is only supported on access ports and voice ports. Attempting to enable it on a trunk port returns an error.

    Can I enable port security on an EtherChannel member port?

    No. Port security is not supported on ports that are members of a port-channel. Apply security at the logical port-channel level using other mechanisms.

    What is the difference between sticky and static secure MACs?

    Static MACs are manually configured by the administrator. Sticky MACs are learned dynamically and written to running-config automatically when the device connects. Both persist across reloads if saved with write memory.

    How many secure MAC addresses can I configure per port on a Catalyst 9300?

    On Catalyst 9300 series, the maximum is 3,072 secure MACs per port with a system-wide maximum of 65,535. Consult the platform-specific datasheet for exact limits.

    Will port security prevent MAC flooding attacks?

    Yes. Port security with a low maximum MAC count prevents attackers from filling the CAM table, which would otherwise cause the switch to flood all traffic as unknown-unicast.

    If a port goes err-disabled due to a port security violation, does the secure MAC table get cleared?

    Sticky and static entries remain in the running-config. Dynamic (non-sticky) entries are cleared. After manually recovering the port, sticky and static entries are re-applied immediately.

    How do I clear all dynamically learned secure MACs on a port?

    Use: clear port-security dynamic interface GigabitEthernet0/1. This does not affect sticky or static entries.

    What syslog message is generated when a port security violation occurs?

    %PORT_SECURITY-2-PSECURE_VIOLATION is logged, followed by %PM-4-ERR_DISABLE indicating the port has been placed in err-disable state.

    Does storm control work alongside port security?

    Yes. They are independent features. Port security controls which source MACs are allowed; storm control limits the rate of broadcast/multicast/unknown-unicast traffic. Both can be active simultaneously on the same interface.

    What storm control thresholds should I use in production?

    A conservative starting point for user-access ports: broadcast 20%/10%, multicast 10%/5%, unknown-unicast 10%/5%, with action shutdown. Monitor and tune based on observed baseline traffic before enforcing shutdown.

    Related Articles