🔐 Cisco IOS Port Security Configuration Guide¶

Port Security is a Layer 2 feature that restricts input to an interface by limiting and managing the MAC addresses allowed to access the port. It helps prevent unauthorized devices from connecting to the network.

🧠 What Port Security Does¶

Limits the number of MAC addresses per port
Allows static or dynamically learned MAC addresses
Supports actions on violation: protect, restrict, or shutdown
Commonly used on access ports to secure edge devices

🛠️ Step-by-Step Configuration¶

1. Enter Global Configuration Mode¶

enable
configure terminal

2. Configure the Interface¶

interface FastEthernet0/1
switchport mode access
switchport access vlan 10

3. Enable Port Security¶

switchport port-security

4. Set Maximum MAC Addresses (default is 1)¶

switchport port-security maximum 2

5. Define Allowed MAC Addresses (optional)¶

switchport port-security mac-address 0011.2233.4455

Or allow dynamic learning:

switchport port-security mac-address sticky

6. Set Violation Action¶

switchport port-security violation shutdown

Options: - protect: drops packets from unknown MACs - restrict: drops packets and logs the violation - shutdown: puts the port in err-disabled state (default)

7. Exit and Save¶

end
write memory

🔍 Verification Commands¶

Show Port Security Status¶

show port-security interface FastEthernet0/1

Show All Port Security Info¶

show port-security

Show Sticky MAC Addresses¶

show running-config | include sticky

🧯 Recover from Violation (Err-Disabled)¶

If a port is shut down due to a violation:

interface FastEthernet0/1
shutdown
no shutdown

To prevent future lockouts, consider using restrict or protect instead of shutdown.

✅ Best Practices¶

Use sticky MACs for dynamic but persistent learning
Limit MACs to 1 per port for end-user devices
Monitor violations with restrict before enforcing shutdown
Combine with other features like DHCP snooping and dynamic ARP inspection for layered security