CCNA 6.1: Configure, verify, and troubleshoot port security


Port security can be used on an interface to identify and limit the MAC addresses of clients that are allowed to access that port.


Study Notes:

  • Port security identifies the MAC addresses of clients allowed to forward traffic through an interface
  • Port security is applied to access ports
  • Port security cannot be applied to a trunk port
  • Port security cannot be applied to the destination port for a SPAN port
  • Port security cannot be applied to an EtherChannel/Port-Channel interface
  • Port security and static MAC configuration are mutually exclusive
  • By default
    • Port security is turned off
    • The maximum number of secure MAC addresses is 1
    • When a violation occurs the port gets shutdown
    • Aging is disabled
    • Aging type is absolute
    • Static aging is disabled
    • Sticky is disabled
  • If the number of MAC addresses configured on a port is less than the maximum then the remaining MAC addresses are able to be learned dynamically
  • If a port shuts down, all dynamically learned MAC addresses are removed
  • A sticky MAC lets an interface retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online
  • To recover a port from err-disabled, you must shut and no shut it
  • Port-security violation modes:
protect Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count
restrict Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count
shutdown Shuts down the port if there is a security violation



Switch(config)# interface f0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security


6.1.a Static/6.1.b Dynamic
Set the MAC addresses that are allowed to use the port.  If less than the maximum are set than the remaining are learned dynamically.

Switch(config-if)#switchport port-security mac-address <mac_address>

6.1.c Sticky
Enable sticky learning on the interface

Switch(config-if)#switchport port-security mac-address sticky

6.1.d Maximum MAC Addresses
Set the number of MAC addresses allowed to use this port

Switch(config-if)#switchport port-security maximum (1-3072)

6.1.e Violation Actions
Set the action to be taken when port-security is violated

Switch(config-if)#switchport port-security violation {protect | restrict | shutdown}

6.1.f Err-disabled recovery
Once port security is violated on an interface, the interface will go to err-disabled. To return it to normal, do the following:

Switch#show interface status err-disabled
Switch#show interface f0/1
Switch#config t
Switch(config)#interface f0/1
Switch(config-if)#no shut
Switch#show interface status err-disabled

Verification commands

Switch#show port-security address
Switch#show port-security address interface f0/1
Switch#show interface status err-disabled

PacketTracer Lab: CCNA-6.1-Configure-verify-and-troubleshoot-port-security.pkt

Subscribe Now for access to the labs!

Leave a Reply
Built by TrailSix