Port Security & Sticky MAC Configuration

By default, a Cisco switch access port will learn and forward traffic from any device plugged into it — there is no restriction on how many devices can connect or which MAC addresses are allowed. In environments where physical access to switch ports cannot be fully controlled, this openness is a security risk. An employee could plug in a personal hub or switch, connecting multiple unauthorized devices to the corporate network.

Port Security addresses this by allowing you to limit the number of MAC addresses permitted on a port and define what happens when a violation occurs. Sticky MAC extends this by automatically learning the first MAC address that connects and locking it in — without requiring manual configuration of every device's MAC address. Together they provide a practical layer of access control without the complexity of 802.1X authentication.

Before starting, complete Assigning VLANs to Switch Ports and PortFast & BPDU Guard Configuration. Port security only works on access ports and must be configured in access mode.

1. Port Security — Core Concepts

Secure MAC Address Types

Port security works by building a table of secure MAC addresses for each port. There are three ways to populate this table:

Type	How It Is Added	Survives Reload?	Use Case
Static	Manually configured: `switchport port-security mac-address [MAC]`	✅ Yes — in running-config	Known, fixed devices (servers, printers)
Dynamic	Learned automatically from traffic — not saved	❌ No — cleared on reload or port shutdown	Basic learning — rarely used alone
Sticky	Learned automatically from traffic and saved to running-config	✅ Yes — if `wr` is run after learning. See Saving Cisco Configurations.	✅ Best practice — automatic learning with persistence

Violation Modes — What Happens When a Violation Occurs

A violation occurs when a frame arrives from a MAC address that is not in the secure MAC table AND the maximum MAC count has already been reached. The switch responds based on the configured violation mode:

Mode	Drops Violating Frames?	Sends Syslog?	Increments Violation Counter?	Shuts Port Down?
shutdown	✅ Yes	✅ Yes	✅ Yes	✅ Yes — err-disabled immediately
restrict	✅ Yes	✅ Yes	✅ Yes	❌ No — port stays up
protect	✅ Yes	❌ No	❌ No	❌ No — port stays up, silent drop

Which mode to use?

shutdown — most secure, default mode. Use when unauthorized devices must be actively blocked and administrators notified. Requires manual recovery.
restrict — port stays up for legitimate devices while blocking and logging violations. Good when some authorized devices share the port.
protect — silently drops violations with no logging. Least visible — not recommended for production security monitoring.

2. Lab Scenario

NetsTuts_SW1 has the following port security requirements. See VLAN Creation and Management for creating the VLANs referenced below, and Assigning VLANs to Switch Ports for setting access mode on each port:

Port	VLAN	Max MACs	Learning	Violation Mode	Purpose
Fa0/1	10	1	Sticky	shutdown	Single workstation — lock to first device connected
Fa0/2	20	2	Sticky	restrict	Hot-desk — up to 2 devices, log violations but stay up
Fa0/3	30	1	Static	shutdown	Server — specific MAC hardcoded, strict enforcement

3. Step 1 — Sticky MAC with Shutdown Violation (Fa0/1)

This is the most common port security configuration in production. The port learns the first MAC address automatically, locks it in, and shuts down if any other device attempts to connect.

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_SW1(config)#interface FastEthernet0/1
NetsTuts_SW1(config-if)#description Workstation-VLAN10
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 10
NetsTuts_SW1(config-if)#switchport port-security
NetsTuts_SW1(config-if)#switchport port-security maximum 1
NetsTuts_SW1(config-if)#switchport port-security mac-address sticky
NetsTuts_SW1(config-if)#switchport port-security violation shutdown
NetsTuts_SW1(config-if)#exit

Port security enabled with sticky learning and shutdown violation on Fa0/1. When PC1 sends its first frame, the MAC is automatically added to the running-config and the port is locked to that device. The port must be in access mode — set with switchport mode access before enabling port security.

Command Breakdown

Command	What It Does	Notes
`switchport port-security`	Enables port security on the interface	Must be the first port-security command. Port must be in access mode.
`switchport port-security maximum 1`	Limits the port to 1 secure MAC address	Default maximum is 1. Range: 1–3072 depending on platform.
`switchport port-security mac-address sticky`	Enables sticky learning — first MAC learned is written to running-config	Once learned, the sticky MAC appears as a static entry in running-config. See show mac address-table.
`switchport port-security violation shutdown`	Places port in err-disabled state on violation	Default violation mode — most secure response

What the Running-Config Shows After Sticky Learning

NetsTuts_SW1#show running-config interface FastEthernet0/1
!
interface FastEthernet0/1
 description Workstation-VLAN10
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0050.7966.0001
!

IOS automatically adds

switchport port-security mac-address sticky
    0050.7966.0001

to the running-config after the first frame is received. Run wr to save this to startup-config so it persists after reload. See Saving and Managing Cisco Configurations.

4. Step 2 — Sticky MAC with Restrict Violation (Fa0/2)

Restrict mode allows the port to stay up for authorized devices while dropping and logging frames from unauthorized ones — without shutting the port down. This is useful when you cannot afford the disruption of a port shutdown.

NetsTuts_SW1(config)#interface FastEthernet0/2
NetsTuts_SW1(config-if)#description HotDesk-VLAN20
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 20
NetsTuts_SW1(config-if)#switchport port-security
NetsTuts_SW1(config-if)#switchport port-security maximum 2
NetsTuts_SW1(config-if)#switchport port-security mac-address sticky
NetsTuts_SW1(config-if)#switchport port-security violation restrict
NetsTuts_SW1(config-if)#exit

Fa0/2 permits up to 2 sticky MAC addresses. A third device connecting will have its frames dropped and a syslog message generated — but the port stays up for the two authorized devices. Configure your syslog server to alert on %PORT_SECURITY-2-PSECURE_VIOLATION messages.

5. Step 3 — Static MAC with Shutdown Violation (Fa0/3)

For devices with fixed, known MAC addresses (servers, printers, IP cameras), configuring the MAC address statically provides the strongest security — only that exact device is ever permitted on the port.

NetsTuts_SW1(config)#interface FastEthernet0/3
NetsTuts_SW1(config-if)#description FileServer-VLAN30
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 30
NetsTuts_SW1(config-if)#switchport port-security
NetsTuts_SW1(config-if)#switchport port-security maximum 1
NetsTuts_SW1(config-if)#switchport port-security mac-address 0050.7966.0099
NetsTuts_SW1(config-if)#switchport port-security violation shutdown
NetsTuts_SW1(config-if)#exit

NetsTuts_SW1(config)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

The server's MAC address 0050.7966.0099 is hard-coded. Only frames from this exact MAC address are accepted on Fa0/3. Any other device immediately triggers a port shutdown. Verify the VLAN 30 assignment with show vlan brief.

6. What a Violation Looks Like

When an unauthorized device connects to a port with shutdown violation mode, the following sequence of syslog messages appears:

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
  0050.7966.ABCD on port FastEthernet0/1.
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in
  err-disable state
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

The violating MAC address is logged in the first message — useful for identifying exactly which device triggered the violation. Check show logging to review historical violation events. Forward these to a central syslog server for security monitoring.

Recovering an err-disabled Port After a Violation

! ── 1. Disconnect the unauthorized device ────────────────
! ── 2. Manually recover the port ─────────────────────────
NetsTuts_SW1#conf t
NetsTuts_SW1(config)#interface FastEthernet0/1
NetsTuts_SW1(config-if)#shutdown
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#end
NetsTuts_SW1#
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Always remove the unauthorized device before recovering the port. If the device is still connected, the violation triggers again immediately and the port returns to err-disabled state. Confirm the port is back up with show interfaces FastEthernet0/1 status.

Clearing Sticky MAC Addresses

If you need to re-learn a new device (for example, replacing a workstation), clear the sticky MACs before connecting the new device:

NetsTuts_SW1#clear port-security sticky interface FastEthernet0/1
NetsTuts_SW1#

This removes all sticky MAC entries for Fa0/1 from the running-config. The port will now learn the next device that connects as the new sticky MAC. Remember to run wr after the new device connects to save the updated sticky MAC to startup-config. See Saving and Managing Cisco Configurations.

7. Verification

show port-security

Summary of all ports with port security enabled across the switch:

NetsTuts_SW1#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
               (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/1              1            1                  0         Shutdown
      Fa0/2              2            1                  0         Restrict
      Fa0/3              1            1                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

All three ports show 1 current address learned and 0 violations. The Security Action column confirms violation mode for each port.

show port-security interface FastEthernet0/1

NetsTuts_SW1#show port-security interface FastEthernet0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0050.7966.0001:10
Security Violation Count   : 0

Key fields to read: Port Status: Secure-up (port is working normally — not in violation). Sticky MAC Addresses: 1 confirms the sticky entry was learned. Last Source Address shows which device most recently used the port. Cross-reference with show mac address-table to see all learned MAC addresses on the switch.

Port Status Values Explained

Port Status	Meaning
Secure-up	Port security is active and the port is forwarding normally — no violation
Secure-shutdown	Port has been err-disabled due to a security violation (shutdown mode triggered). Verify with `show interfaces status`.
Secure-down	Port security is configured but the port is physically down (no cable or device)

show port-security address

NetsTuts_SW1#show port-security address
          Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)
----    -----------       ----                -----   -------------
  10    0050.7966.0001    SecureSticky        Fa0/1        -
  20    0050.7966.0002    SecureSticky        Fa0/2        -
  30    0050.7966.0099    SecureConfigured    Fa0/3        -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 2
Maximum Addresses limit in System (excluding one mac per port) : 4096

All three secure MAC entries are visible. SecureSticky entries were learned automatically. SecureConfigured (Fa0/3) was statically configured by the engineer. Compare with show mac address-table to see the full dynamic MAC table alongside secure entries.

Verification Command Summary

Command	What It Shows
`show port-security`	Summary of all secured ports — max/current MACs, violation count, violation mode
`show port-security interface [int]`	Detailed per-port status — secure MAC counts, port status, last source address
`show port-security address`	All secure MAC addresses on the switch — type (sticky/static), port, VLAN
`show running-config interface [int]`	Shows sticky MACs as they appear in configuration after learning
`show logging`	Violation events including the violating MAC address and timestamp
`show interfaces [int] status`	Shows "err-disabled" if the port is in violation shutdown state
`show mac address-table`	Full dynamic MAC table — complements port-security address output

8. Troubleshooting Port Security Issues

Problem	Symptom	Cause	Fix
Port security command rejected	IOS returns: "Port security is not supported on dynamic ports"	Port is in dynamic (DTP) mode — port security requires explicit access mode	Add `switchport mode access` before `switchport port-security`. See Assigning VLANs to Switch Ports.
Port immediately err-disabled after recovery	Port returns to err-disabled within seconds of `no shutdown`	Unauthorized device is still connected — violation triggers again	Disconnect the offending device first, then recover with `shutdown` / `no shutdown`. Verify with `show interfaces status`.
Sticky MAC not saved after reload	Port re-learns MAC after every reload — learned MACs are lost	`wr` was not run after sticky MACs were learned — running-config not saved to startup-config	After sticky MACs are learned, always run `wr` to save them to NVRAM. See Saving and Managing Cisco Configurations.
Wrong device learned as sticky MAC	A different device learned as sticky — correct device now violates	Wrong device connected first during initial learning phase	Clear the sticky entry: `clear port-security sticky interface [int]`, then connect the correct device
Violations occurring but port stays up	Violation counter incrementing but port not shutting down	Violation mode is `restrict` or `protect` — these modes do not shut the port down	Expected behavior for restrict/protect. Change to `violation shutdown` if a harder response is needed
No violation logging	Unauthorized device connecting but no syslog messages generated	Violation mode is `protect` — it silently drops frames with no logging	Change to `violation restrict` for logging, or `violation shutdown` for strict enforcement. Forward logs to a syslog server for persistent storage.

Key Points & Exam Tips

Port security only works on access ports — the port must be explicitly set to switchport mode access before port security can be enabled. See Assigning VLANs to Switch Ports.
Sticky MAC is the most practical deployment — it auto-learns the first device and writes the MAC to running-config. Always run wr after learning to persist through reloads. See Saving Configurations.
The default maximum MAC addresses per port is 1. The default violation mode is shutdown.
Shutdown mode: err-disables the port, sends syslog, increments violation counter. Requires manual recovery (shutdown / no shutdown). Verify recovery with show interfaces status.
Restrict mode: drops violating frames, sends syslog, increments counter — port stays up. Use when the port must remain available for authorized devices.
Protect mode: silently drops violating frames — no syslog, no counter increment, port stays up. Least visible — not recommended for production security monitoring.
A port in violation shutdown state shows Secure-shutdown in show port-security interface and err-disabled in show interfaces status.
To replace a locked device, clear sticky MACs with clear port-security sticky interface [int], then connect the new device and run wr.
show port-security address shows the type of each secure entry: SecureSticky (auto-learned), SecureConfigured (static), or SecureDynamic (dynamic — not saved). Compare with show mac address-table.
On the CCNA exam, know all three violation modes and their exact behaviors — especially that protect is the only mode that generates no syslog and increments no counter.
Port security is a Layer 2 access control mechanism. For STP-related port hardening, see PortFast & BPDU Guard. For identity-based port access, see 802.1X Port Authentication. For DHCP and ARP protection, see DHCP Snooping & Dynamic ARP Inspection.

Next Steps: With port security controlling device access at Layer 2, continue to Voice VLAN Configuration to configure dedicated voice VLANs for IP phones on the same access ports. For additional Layer 2 security, see DHCP Snooping & Dynamic ARP Inspection and 802.1X Port Authentication. For centralized identity-based access control, see AAA Authentication Methods. For forwarding violation events to a central log server, see Syslog Server Configuration.

TEST WHAT YOU LEARNED

1. An engineer enables port security on Fa0/1 but receives the error: "Command rejected: FastEthernet0/1 is a dynamic port." What must be done first?

A. Disable STP on the port before enabling port security B. Configure switchport mode access on the port — port security requires explicit access mode, not dynamic (DTP) mode C. Enable PortFast first — port security depends on PortFast being active D. Assign the port to a VLAN before enabling port security

Correct answer is B. Port security is only supported on statically configured access ports. A port in dynamic (DTP) mode is not compatible with port security because its operational mode can change. Always configure switchport mode access explicitly before adding switchport port-security commands. See Assigning VLANs to Switch Ports.

2. A port is configured with sticky MAC and violation mode shutdown. PC1 connects and its MAC is learned. PC1 is then replaced with PC2. What happens when PC2 sends its first frame?

A. PC2's MAC replaces PC1's in the sticky table automatically B. The port increases the MAC limit to accommodate PC2 C. The port drops PC2's frame silently and continues forwarding D. PC2's MAC is unknown — the maximum of 1 is already reached. The port is immediately err-disabled due to the violation

Correct answer is D. With maximum 1 and violation mode shutdown, the port is locked to PC1's MAC. When PC2 (a different MAC) sends a frame, the switch detects a violation — the maximum is already reached and this MAC is not the secure one. The port is immediately placed into err-disabled state. Verify with show interfaces status. To authorize PC2, first clear the sticky entry with clear port-security sticky interface Fa0/1, then connect PC2.

3. What is the key difference between restrict and protect violation modes?

A. Both drop violating frames and keep the port up, but restrict generates a syslog message and increments the violation counter — protect does neither, silently dropping frames with no notification B. Restrict shuts the port down after 5 violations; protect never shuts the port down C. Protect generates a syslog; restrict does not D. They are identical — just different names for the same behavior

Correct answer is A. Both restrict and protect keep the port up and drop violating frames — neither shuts the port down. The critical difference is visibility: restrict sends a syslog message and increments the security violation counter, giving administrators visibility into the event. Protect silently discards the frame with no log and no counter increment — the violation is completely invisible unless you were actively monitoring traffic. Forward restriction-mode violations to a syslog server for persistent alerting.

4. A sticky MAC was learned on Fa0/2. The engineer runs `wr` to save. The switch reloads overnight. Will the sticky MAC still be there after the reload?

A. No — sticky MACs are always cleared on reload regardless of whether they were saved B. No — sticky MACs require a dedicated NVRAM partition to persist C. Yes — wr saved the sticky MAC to startup-config in NVRAM. On reload, startup-config loads into RAM and the sticky entry is restored D. Only if the same device reconnects within 5 minutes of the reload

Correct answer is C. When a sticky MAC is learned, IOS writes it to the running-config as a static entry (switchport port-security mac-address sticky [MAC]). Running wr saves running-config to startup-config in NVRAM. On the next reload, startup-config is loaded back into RAM — restoring the sticky MAC entry. If wr is never run, the sticky MAC exists only in RAM and is lost on reload. See Saving and Managing Cisco Configurations.

5. `show port-security interface Fa0/1` shows Port Status: Secure-shutdown. What does this mean and what is required to restore service?

A. Port security is disabled — run switchport port-security to re-enable B. The port is in protect mode and silently dropping frames C. The port is administratively shut down — run no shutdown only D. A security violation triggered the shutdown mode — the port is err-disabled. Remove the unauthorized device, then recover with shutdown followed by no shutdown

Correct answer is D. "Secure-shutdown" is the port security-specific err-disabled state — it means the violation mode was "shutdown" and a violation occurred. The port is completely disabled at the hardware level. Confirm with show interfaces FastEthernet0/1 status which will show "err-disabled". Recovery requires: (1) physically removing the unauthorized device, (2) entering shutdown then no shutdown on the interface. If only no shutdown is run without removing the device, the port may be immediately err-disabled again. Check show logging for the violating MAC address.

6. An engineer needs to replace the PC on Fa0/3 which has a sticky MAC locked in. Which command removes the existing sticky entry so a new device can be learned?

A. no switchport port-security mac-address sticky B. clear port-security sticky interface FastEthernet0/3 C. no switchport port-security D. erase startup-config to clear all port security entries

Correct answer is B. clear port-security sticky interface [int] removes all sticky MAC entries for that specific interface from the running-config. The port will then re-learn the next device that connects. Option A (no switchport port-security mac-address sticky) would disable sticky learning but not clear already-learned entries. Option C would disable port security entirely. Always run wr after the new device connects to save the new sticky entry. See Saving and Managing Cisco Configurations.

7. Which violation mode is the most dangerous to use in a production security environment and why?

A. Protect — it silently drops violating frames with no syslog and no violation counter increment, making unauthorized access attempts completely invisible to network administrators B. Shutdown — it creates too many err-disabled ports requiring constant manual recovery C. Restrict — it keeps the port up even during violations, allowing the attacker to remain connected D. All three modes are equally risky in production

Correct answer is A. The protect mode's silent behavior is its biggest weakness in a security context. When an unauthorized device connects, the frames are dropped but no syslog is generated and the violation counter stays at zero. An administrator checking show port-security would see 0 violations and assume everything is fine — while an attacker is actively probing the network. At minimum, restrict mode should be used so violations are logged and visible. Configure a central syslog server to alert on violation messages.

8. A port is configured with `switchport port-security maximum 3` and sticky learning. Three devices have connected and been learned. A fourth device now connects. What happens?

A. The fourth device is accepted — the maximum automatically increases by 1 B. The fourth device replaces the oldest sticky MAC entry C. The configured violation mode is triggered — the fourth device's frame is treated as a violation because the maximum of 3 has been reached D. The port temporarily allows the fourth device and increments the maximum to 4

Correct answer is C. The maximum MAC count is a hard limit. Once 3 secure MACs are learned, any frame from a 4th MAC address triggers the configured violation mode — whether that is shutdown (port err-disabled), restrict (frame dropped with logging), or protect (frame silently dropped). The maximum never auto-adjusts. The only way to allow more devices is to manually increase the maximum with switchport port-security maximum [new-value]. Verify the current learned MACs with show mac address-table.

9. What does `show port-security address` show for an entry of type SecureConfigured?

A. A MAC address learned dynamically from traffic and saved automatically B. A MAC address learned via sticky and not yet saved with wr C. A MAC address learned dynamically — will be cleared on port shutdown D. A MAC address that was manually entered by an administrator using switchport port-security mac-address [MAC] — a static entry

Correct answer is D. In show port-security address, the Type column shows three possible values: SecureConfigured means the MAC was statically configured by an administrator. SecureSticky means it was auto-learned via sticky MAC and is saved in running-config. SecureDynamic means it was learned automatically but is not persistent — it is cleared when the port goes down or the switch reloads. Compare with the dynamic entries in show mac address-table.

10. An engineer configures port security with violation restrict on an IP phone port. The phone shares the port with a PC (voice VLAN + data VLAN). Later the violation counter increases. What is the most likely explanation?

A. The IP phone itself is generating violation frames — phones are not compatible with port security B. The maximum MAC count is too low — the phone and PC together may require at least 2 MACs (one for the phone, one for the PC behind it), but the maximum was left at the default of 1 C. The voice VLAN is incompatible with port security restrict mode D. Port security does not count voice VLAN MAC addresses — the violation must be from an unauthorized third device

Correct answer is B. An IP phone connected to an access port with a PC behind it generates two MAC addresses — the phone's own MAC (on the voice VLAN) and the PC's MAC (on the data VLAN). The default maximum of 1 only permits one MAC. When the second device (phone or PC) sends a frame, a violation is triggered. For voice+data ports, set switchport port-security maximum 2 (or higher if the phone itself generates multiple MACs for different functions). See Voice VLAN Configuration for the complete IP phone port setup.

Back to Home