How to : Port Security in Cisco switches

Cisco Port security is an important feature to most of my customer. Especially Software development companies and BPOs are the constant customer types asking for this feature to restrict devices connecting to their network.

Cisco Port security is to limit the devices that are connecting to the Wired network via switches. This feature checks for MAC address of the device that has just accessed the switch port and verifies whether that device is allowed to connect wired network or not. The wireless equivalent of this feature is MAC address Authentication. The number of addresses the feature accepts is equivalent to the maximum limit of MAC address of the switch.

When there is a violation then switch will respond depends upon configuration. Config gives you three options 1. Protect 2. Restrict and 3. Shutdown. 2nd and 3rd options will notify administrators via SNMP Traps.  For those who dont want to go each and every workstation and collect MAC addresses, there is an option called “sticky”. After switch completes learning MAC addresses you can disable sticky and let the MAC address in dynamic allocation. However if you want more strict restriction, go for manual static entries. In case you want to remove dynamic learned addresses also, then disable Port security completely and re-enable it. Port security support aging also. Use options “absolute” to retain till specified time limit and option “inactive” to retain MAC address till specified time after inactivity.

Example config for dynamic learning

LAB1(config)# interface gigabitethernet 0/1
LAB1(config-if)# switchport mode access
LAB1(config-if)# switchport port-security
LAB1(config-if)# switchport port-security maximum 5
LAB1(config-if)# switchport port-security mac-address sticky

For static entries

Switch(config-if)# switchport port-security mac-address 0123.4567.89AB vlan 21

Issue “show port-security” command to view and verify settings for a switch or interface.

There are some limitation for port security

  • It cannot be configured on a IEEE 802.1X port.
  • It cannot be configured on a mirrored port (SPAN)
  • It cannot be configured on a EtherChannel port
  • On a trunk port take care on violation options. Better not configure port-security on a trunk interface.


Cisco Catalyst 2960 and 2960S Series Switches

Cisco Catalyst 3560 Series Switches

Cisco Catalyst 3750 Series Switches

Cisco Catalyst 4500 Series Switches

Cisco Catalyst 6500 Series Switches


One thought on “How to : Port Security in Cisco switches

  1. Is it possible to setup Port Security (via MAC-Filtering) over the Webinterface?
    Or do you have to install “Cisco Network Assistant”?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s