Port Security – Concepts & Overview

1. What Is Port Security and Why Does It Matter?

Port security is a Layer 2 feature on Cisco switches that restricts which devices are allowed to communicate through a switch port, based on their MAC address. It limits the number of MAC addresses that can be learned on a port, and optionally hard-codes which specific MAC addresses are permitted. When an unauthorised device is detected, the switch takes a configurable action — from silently discarding frames to completely shutting down the port.

Without port security, any device plugged into a switch port immediately gains network access. This opens the door to several Layer 2 attacks including MAC flooding (CAM table overflow), rogue device attachment, and unauthorised network access from unmanaged hubs or switches connected to a single access port.

Threat	How Port Security Mitigates It
MAC flooding / CAM table overflow	Limits the number of MAC addresses learnable on a port. A flooding tool sending thousands of fake MACs hits the limit and triggers a violation action before the CAM table is overwhelmed
Rogue device attachment	A specific (sticky or static) MAC binding ensures only the authorised device's MAC is accepted on a port — any other MAC triggers a violation
Unauthorised hub/switch connection	Setting maximum MAC count to 1 prevents a user from plugging in a hub or unmanaged switch, which would introduce multiple MACs
Unauthorised VLAN access	Combined with sticky MAC, port security ensures a port only ever serves the specific workstation assigned to it

2. How MAC Address Learning Works on a Switch

Before understanding port security, it is essential to understand how a switch normally learns MAC addresses. Every switch maintains a MAC address table (also called the CAM table — Content Addressable Memory) that maps MAC addresses to the port on which they were last seen.

  Normal MAC learning process (no port security):

  Step 1 — PC-A (MAC: AA:AA:AA:AA:AA:AA) sends a frame out of port Fa0/1.
  Step 2 — Switch reads the SOURCE MAC from the incoming frame.
  Step 3 — Switch records: MAC AA:AA:AA:AA:AA:AA → Port Fa0/1 in the CAM table.
  Step 4 — Entry ages out after the aging timer (default: 300 seconds) if no
            frames are received from that MAC.

  Switch# show mac address-table
  Vlan    Mac Address         Type        Ports
  ----    -----------         --------    -----
    10    aa:aa:aa:aa:aa:aa   DYNAMIC     Fa0/1
    10    bb:bb:bb:bb:bb:bb   DYNAMIC     Fa0/2

  Without port security:
  - Any MAC address is learned dynamically on any port
  - No limit on how many MACs can be learned per port
  - Any device plugged in immediately gets Layer 2 forwarding

The MAC Flooding Attack

  Attack scenario — without port security:

  Attacker runs a tool (e.g., macof) that generates thousands of frames
  with random fake source MAC addresses per second.

  Switch CAM table fills up:
  ┌────────────────────────────────────────────────────────┐
  │  CAM Table (e.g., 8,192 entry limit)                  │
  │  11:22:33:44:55:66 → Fa0/1  (real entry)              │
  │  AA:BB:CC:DD:EE:01 → Fa0/1  (fake)                    │
  │  AA:BB:CC:DD:EE:02 → Fa0/1  (fake)                    │
  │  ...  8,190 more fake entries ...                      │
  │  TABLE FULL — legitimate MACs cannot be added          │
  └────────────────────────────────────────────────────────┘

  Once full: switch cannot look up legitimate destination MACs.
  Unknown unicast frames are FLOODED to all ports (like a hub).
  Attacker captures all traffic on the segment — full Layer 2 eavesdrop.

  Port security fix: limit Fa0/1 to maximum 1 MAC address.
  Any frame after the first unique MAC triggers a violation.

See: MAC Address Table | show mac-address-table Command

3. Port Security Prerequisites and Restrictions

Port security has specific requirements that must be met before it can be enabled. Attempting to configure port security on an ineligible port will produce an error.

Requirement / Restriction	Detail
Access port only	Port security can only be enabled on access ports (`switchport mode access`). It cannot be configured on trunk ports, routed ports, or EtherChannel member ports
Static access mode required	The port must be manually set to access mode. Dynamic ports (DTP negotiating) do not support port security — disable DTP with `switchport nonegotiate` or set mode explicitly
Not on SPAN destination ports	Ports configured as SPAN (port mirroring) destinations cannot use port security
Not on voice VLAN without care	When a voice VLAN is configured alongside port security, the maximum MAC count must account for both the phone MAC and PC MAC (minimum 2 — typically set to 2 or 3)

  ! Correct sequence — set access mode first, then enable port security:
  Switch(config)# interface fastEthernet 0/1
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 10
  Switch(config-if)# switchport port-security        ! enables port security with defaults

  ! Attempting to enable port security on a trunk port produces:
  % Port security is not supported on a trunk port.

4. Types of Secure MAC Addresses

Once port security is enabled, MAC addresses on that port are classified as one of three types. Understanding the difference between them is essential for both configuration and the CCNA exam.

Type	How It Is Added	Survives Reboot?	Appears In
Static secure MAC	Manually configured by the administrator using `switchport port-security mac-address <mac>`	Yes — stored in running-config (must be saved to startup-config with `write memory`)	Running-config and MAC address table as STATIC
Dynamic secure MAC	Learned automatically from incoming frames when port security is enabled (default behaviour)	No — lost on reload or port shutdown/no shutdown	MAC address table only — not in running-config
Sticky secure MAC	Learned dynamically then automatically written into the running-config as if statically configured — enabled with `switchport port-security mac-address sticky`	Yes — if running-config is saved to startup-config	Running-config and MAC address table as STATIC

Which Type Should You Use?

Scenario	Recommended Type	Reason
Small network, devices rarely move, high security needed	Static	Explicit control — only the exact specified MAC is ever permitted
Medium network, devices are mostly fixed, want automated learning	Sticky	Learns MAC automatically on first connection then locks it in; saves admin time vs manually typing each MAC
Basic limiting — prevent MAC flooding but allow any device	Dynamic	Simplest to configure; just set a maximum count; no MAC pinning

5. Maximum MAC Address Limit

The maximum MAC address limit controls how many unique source MAC addresses the switch will accept on a port before treating any additional MAC as a violation. The default value is 1 on most Cisco platforms.

  Default behaviour (maximum = 1):
  - First MAC address seen on the port → accepted, learned as secure MAC
  - Second (different) MAC address seen on the port → VIOLATION triggered

  Configuring the maximum MAC limit:
  Switch(config-if)# switchport port-security maximum <count>

  Examples:
  switchport port-security maximum 1   ! one device only (default)
  switchport port-security maximum 2   ! PC + IP phone on same port
  switchport port-security maximum 5   ! small shared segment (not recommended)

  ! The maximum can be set from 1 up to the platform's CAM table limit per port.
  ! Typical exam value: maximum 1 (one authorised device per access port)

Voice VLAN consideration: When a port has both an access VLAN (for a PC) and a voice VLAN (for an IP phone), the IP phone and the PC each have their own MAC address. Set maximum 2 minimum to avoid triggering a violation when both devices connect. Some deployments use maximum 3 to allow for the phone's own internal switch port MAC as well.

6. Sticky MAC — Automatic Secure Learning

Sticky MAC is the most commonly deployed form of port security in enterprise networks. When sticky learning is enabled, the switch dynamically learns the source MAC address of the first device that connects and automatically adds it to the running-configuration as a static secure MAC entry. The port is then "locked" to that device.

How Sticky Learning Works

  Step 1 — Enable sticky MAC on a port:
  Switch(config-if)# switchport port-security mac-address sticky

  Step 2 — PC with MAC AA:BB:CC:DD:EE:FF connects to the port and sends a frame.

  Step 3 — Switch automatically adds to running-config:
  switchport port-security mac-address sticky AA:BB:CC:DD:EE:FF

  Step 4 — Verify:
  Switch# show port-security interface fastEthernet 0/1
  Port Security              : Enabled
  Port Status                : Secure-up
  Violation Mode             : Shutdown
  Maximum MAC Addresses      : 1
  Total MAC Addresses        : 1
  Configured MAC Addresses   : 0
  Sticky MAC Addresses       : 1
  Last Source Address:Vlan   : AA:BB:CC:DD:EE:FF:10

  Step 5 — Save the running-config to persist the sticky entry across reboots:
  Switch# write memory   (or: copy running-config startup-config)

Sticky MAC — What Happens When the Device Changes

  Scenario: sticky MAC AA:BB:CC:DD:EE:FF is locked to Fa0/1.
  A different PC (MAC: 11:22:33:44:55:66) is plugged in.

  Switch receives a frame with source MAC 11:22:33:44:55:66 on Fa0/1.
  This MAC does not match the secured sticky entry AA:BB:CC:DD:EE:FF.
  → VIOLATION detected → action depends on configured violation mode.

  To authorise the new device:
  1. Remove the old sticky entry manually:
     Switch(config-if)# no switchport port-security mac-address sticky AA:BB:CC:DD:EE:FF
  2. Or disable and re-enable port security to clear and re-learn.
  3. Or perform an errdisable recovery (if violation mode = shutdown).

Always save after sticky learning: Sticky MAC entries exist in the running-config only until the switch reloads — unless saved. After the intended device has connected and the sticky entry is learned, always run copy running-config startup-config. Otherwise, after a reboot, the port re-learns the MAC of whatever device connects first — which might not be the authorised one.

See: Port Security & Sticky MAC Lab

7. Violation Modes

A violation occurs when a frame arrives on a port-security-enabled port and one of the following is true:

  Violation conditions:

  Condition 1: The source MAC address of the incoming frame is NOT in the
               secure MAC list for that port, AND the maximum MAC count
               has already been reached.

  Condition 2: The source MAC address appears on a different port that
               already has it as a secure MAC (MAC move violation).

When a violation is detected, the switch takes action according to the configured violation mode. There are three modes:

7.1 Shutdown Mode (Default)

  switchport port-security violation shutdown

  When a violation occurs:
  ┌───────────────────────────────────────────────────────────────────┐
  │  1. Port is immediately placed into err-disabled state            │
  │  2. Port LED turns amber (off on some platforms)                  │
  │  3. A syslog message is generated:                                │
  │     %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation on     │
  │     FastEthernet0/1, address AA:BB:CC:DD:EE:FF                    │
  │  4. An SNMP trap is sent (if SNMP is configured)                  │
  │  5. Violation counter increments by 1                             │
  │  6. ALL traffic (including authorised MACs) is dropped            │
  └───────────────────────────────────────────────────────────────────┘

  Recovery (manual):
  Switch(config)# interface fastEthernet 0/1
  Switch(config-if)# shutdown
  Switch(config-if)# no shutdown

  Recovery (automatic errdisable recovery):
  Switch(config)# errdisable recovery cause psecure-violation
  Switch(config)# errdisable recovery interval 300   ! seconds

7.2 Restrict Mode

  switchport port-security violation restrict

  When a violation occurs:
  ┌───────────────────────────────────────────────────────────────────┐
  │  1. Offending frames (from the unknown MAC) are DROPPED           │
  │  2. Port remains UP and operational                               │
  │  3. Authorised MAC traffic continues to flow normally             │
  │  4. A syslog message is generated for each violation              │
  │  5. An SNMP trap is sent (if configured)                          │
  │  6. Violation counter increments for each offending frame         │
  └───────────────────────────────────────────────────────────────────┘

  Key difference from shutdown: the port stays up.
  Legitimate traffic is unaffected. Only the unauthorised frames are dropped.
  Useful when you want to log and alert without disrupting the authorised user.

7.3 Protect Mode

  switchport port-security violation protect

  When a violation occurs:
  ┌───────────────────────────────────────────────────────────────────┐
  │  1. Offending frames (from the unknown MAC) are DROPPED silently  │
  │  2. Port remains UP and operational                               │
  │  3. Authorised MAC traffic continues to flow normally             │
  │  4. NO syslog message generated                                   │
  │  5. NO SNMP trap sent                                             │
  │  6. Violation counter does NOT increment                          │
  └───────────────────────────────────────────────────────────────────┘

  Key difference from restrict: completely silent — no logging, no alerts.
  The violation is invisible unless you specifically poll port-security counters.
  Least commonly used in production — violations go undetected.

Violation Mode Comparison

Feature	Shutdown (default)	Restrict	Protect
Offending frames dropped	Yes	Yes	Yes
Port disabled (err-disabled)	Yes	No	No
Authorised traffic affected	Yes — all traffic stops	No	No
Syslog message generated	Yes	Yes	No
SNMP trap sent	Yes	Yes	No
Violation counter increments	Yes (once — port shuts down)	Yes (per frame)	No
Manual recovery required	Yes (or errdisable recovery)	No	No
Security impact	Strongest — disruptive	Medium — logs and alerts	Weakest — silent drop

See full guide: Violation Modes – Full Guide

8. Full Port Security Configuration

The following shows a complete port security configuration combining all key parameters on a single access port.

8.1 Minimum Configuration (defaults used)

  Switch(config)# interface fastEthernet 0/1
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport port-security
  ! Defaults applied:
  !   maximum = 1
  !   violation mode = shutdown
  !   MAC type = dynamic (no sticky, no static)

8.2 Full Configuration with Sticky MAC and Custom Violation Mode

  Switch(config)# interface fastEthernet 0/1
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 10
  Switch(config-if)# switchport port-security                            ! enable port security
  Switch(config-if)# switchport port-security maximum 2                  ! allow PC + IP phone
  Switch(config-if)# switchport port-security mac-address sticky         ! sticky learning
  Switch(config-if)# switchport port-security violation restrict         ! log but stay up

  ! Save so sticky entries survive reboot:
  Switch# copy running-config startup-config

8.3 Configuration with a Static MAC Address

  Switch(config)# interface fastEthernet 0/2
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 20
  Switch(config-if)# switchport port-security
  Switch(config-if)# switchport port-security maximum 1
  Switch(config-if)# switchport port-security mac-address AA:BB:CC:DD:EE:FF  ! static
  Switch(config-if)# switchport port-security violation shutdown

8.4 Configuring Multiple Ports at Once (interface range)

  Switch(config)# interface range fastEthernet 0/1 - 24
  Switch(config-if-range)# switchport mode access
  Switch(config-if-range)# switchport port-security
  Switch(config-if-range)# switchport port-security maximum 1
  Switch(config-if-range)# switchport port-security mac-address sticky
  Switch(config-if-range)# switchport port-security violation shutdown

9. Err-Disabled State and Recovery

When violation mode is set to shutdown and a violation occurs, the port enters err-disabled state. This is a Cisco-specific state indicating that the interface has been administratively disabled by the switch itself due to an error condition. The port will not pass any traffic until it is recovered.

  Identifying an err-disabled port:

  Switch# show interfaces fastEthernet 0/1
  FastEthernet0/1 is down, line protocol is down (err-disabled)

  Switch# show interfaces status
  Port      Name     Status        Vlan   ...
  Fa0/1              err-disabled  10

  Switch# show port-security interface fastEthernet 0/1
  Port Security              : Enabled
  Port Status                : Secure-shutdown        ← err-disabled due to port security
  Violation Mode             : Shutdown
  Last Source Address:Vlan   : 11:22:33:44:55:66:10  ← the offending MAC

Manual Recovery

  ! Remove the offending device first, then:
  Switch(config)# interface fastEthernet 0/1
  Switch(config-if)# shutdown
  Switch(config-if)# no shutdown
  ! Port returns to Secure-up state (if the violation MAC is gone)

Automatic Errdisable Recovery

  ! Configure the switch to automatically recover err-disabled ports after a timer:
  Switch(config)# errdisable recovery cause psecure-violation
  Switch(config)# errdisable recovery interval 300    ! recover after 300 seconds (5 min)

  ! Verify errdisable recovery settings:
  Switch# show errdisable recovery
  ErrDisable Reason            Timer Status   Timer Interval
  -----------------            -------------- --------------
  psecure-violation            Enabled        300

  Note: Automatic recovery should be used carefully. If the offending device
  is still connected, the port will shut down again immediately after recovery,
  causing a repeated cycle. Remove the cause first.

Err-disabled vs administratively down: An err-disabled port shows "down/down (err-disabled)" in show interfaces. An administratively shut-down port shows "administratively down." These are different states — err-disabled is triggered by the switch; administratively down is triggered by a shutdown command.

10. Verification and Monitoring Commands

  ! Summary of port security status on ALL ports:
  Switch# show port-security

  Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
  -----------  -------------  -----------  -----------------  ---------------
  Fa0/1                    1            1                  0         Shutdown
  Fa0/2                    2            2                  0         Restrict

  ! Detailed status for a specific port:
  Switch# show port-security interface fastEthernet 0/1
  Port Security              : Enabled
  Port Status                : Secure-up
  Violation Mode             : Shutdown
  Aging Time                 : 0 mins
  Aging Type                 : Absolute
  SecureStatic Address Aging : Disabled
  Maximum MAC Addresses      : 1
  Total MAC Addresses        : 1
  Configured MAC Addresses   : 0
  Sticky MAC Addresses       : 1
  Last Source Address:Vlan   : AA:BB:CC:DD:EE:FF:10
  Security Violation Count   : 0

  ! Show all secure MAC addresses (static, dynamic, sticky):
  Switch# show port-security address
  Secure Mac Address Table
  -----------------------------------------------------------------------
  Vlan  Mac Address        Type              Ports     Remaining Age (mins)
  ----  -----------        ----              -----     --------------------
    10  AA:BB:CC:DD:EE:FF  SecureSticky      Fa0/1     -

  ! Show MAC address table entries for a specific port:
  Switch# show mac address-table interface fastEthernet 0/1

Key Output Fields to Know

Field	What It Means
Port Status: Secure-up	Port security enabled and port is operational — no violation
Port Status: Secure-shutdown	Port is err-disabled due to a security violation (shutdown mode)
Port Status: Secure-down	Port security enabled but port is physically down (no link)
Sticky MAC Addresses	Number of MAC addresses learned via sticky; these appear in running-config
Configured MAC Addresses	Number of statically configured MAC addresses on this port
Security Violation Count	Total number of violation events recorded on this port; protect mode does not increment this counter
Last Source Address:Vlan	The MAC address and VLAN that triggered the last violation — critical for identifying the offending device

11. Securing Unused Ports

Port security addresses active ports, but unused switch ports are also a security concern — an attacker can simply plug into an unused port and gain Layer 2 network access. Best practice is to apply a combination of measures to all unused ports.

  Best practice configuration for unused ports:

  Switch(config)# interface range fastEthernet 0/10 - 24   ! unused ports
  Switch(config-if-range)# switchport mode access
  Switch(config-if-range)# switchport access vlan 999       ! isolated "black hole" VLAN
  Switch(config-if-range)# switchport port-security
  Switch(config-if-range)# switchport port-security maximum 1
  Switch(config-if-range)# switchport port-security violation shutdown
  Switch(config-if-range)# shutdown                         ! administratively disable

  ! Also create VLAN 999 and assign no routing to it:
  Switch(config)# vlan 999
  Switch(config-vlan)# name UNUSED_PORTS
  Switch(config-vlan)# exit

Measure	Purpose
`switchport access vlan 999`	Places unused ports in an isolated VLAN with no routing — even if someone connects, they cannot reach production networks
`switchport port-security violation shutdown`	If an admin forgets to shut the port, any MAC detected causes an immediate err-disable with a syslog alert
`shutdown`	Primary defence — physically disables the port; no traffic passes until explicitly re-enabled

12. Port Security MAC Aging

By default, secure MAC addresses do not age out — they are permanent until manually removed or the port is reset. MAC aging can be configured to automatically remove secure MAC entries after a set time, useful in environments where devices frequently change (e.g., shared desk spaces or training rooms).

  MAC aging types:
  ┌──────────────┬────────────────────────────────────────────────────────────┐
  │  Absolute    │ The MAC entry is removed exactly <time> minutes after it  │
  │              │ was first learned, regardless of activity on the port.     │
  ├──────────────┼────────────────────────────────────────────────────────────┤
  │  Inactivity  │ The MAC entry is removed if no frames from that MAC have   │
  │              │ been seen for <time> minutes (idle timer resets on each    │
  │              │ received frame).                                           │
  └──────────────┴────────────────────────────────────────────────────────────┘

  Configure aging:
  Switch(config-if)# switchport port-security aging time 60        ! 60 minutes
  Switch(config-if)# switchport port-security aging type inactivity

  ! Allow static MACs to age (disabled by default):
  Switch(config-if)# switchport port-security aging static

  ! Verify:
  Switch# show port-security interface fastEthernet 0/1
  Aging Time  : 60 mins
  Aging Type  : Inactivity

Sticky MAC and aging: Sticky MAC addresses cannot age out by default. Even if aging is configured, sticky entries are treated as static and do not expire unless aging static is also configured. This is important to remember — sticky without aging static effectively makes the sticky entry permanent for the lifetime of the running-config.

13. Port Security Summary — Key Facts

Topic	Key Fact
Supported port types	Access ports only — not trunk, routed, or EtherChannel ports
Enable command	`switchport port-security` (on an access mode interface)
Default maximum MACs	1 — only one MAC address permitted per port by default
Default violation mode	Shutdown — port enters err-disabled on violation
Static MAC	Manually configured; in running-config; persists across reboot if saved
Dynamic MAC	Auto-learned; NOT in running-config; lost on reload
Sticky MAC	Auto-learned then written to running-config; survives reboot if saved
Shutdown mode	Err-disables port; generates syslog + SNMP; all traffic stops; manual recovery needed
Restrict mode	Drops offending frames; port stays up; generates syslog + SNMP; counter increments
Protect mode	Drops offending frames silently; port stays up; NO logging; counter does NOT increment
Err-disabled recovery	`shutdown` / `no shutdown` on the port, or `errdisable recovery cause psecure-violation`
Verify command	`show port-security interface <port>` and `show port-security address`

14. Port Security Quiz

1. What is the default violation mode and default maximum MAC address limit when port security is first enabled on a Cisco switch port?

A. Violation mode: restrict; Maximum MACs: 5 B. Violation mode: shutdown; Maximum MACs: 1 C. Violation mode: protect; Maximum MACs: 1 D. Violation mode: shutdown; Maximum MACs: 128

Correct answer is B. When you issue switchport port-security without any additional parameters, Cisco IOS applies the defaults: maximum MAC addresses = 1 (only one device is permitted) and violation mode = shutdown (the port enters err-disabled state on a violation). These defaults are important CCNA exam facts — memorise them.

2. What is the key difference between a sticky MAC address and a dynamic secure MAC address?

A. Sticky MACs are manually configured; dynamic MACs are learned automatically B. Dynamic MACs survive a reboot; sticky MACs do not C. There is no difference — both are learned automatically and both appear in the running-config D. Both are learned automatically, but sticky MACs are written into the running-config (and survive reboot if saved), whereas dynamic MACs exist only in the MAC address table and are lost on reload or port reset

Correct answer is D. This is the critical distinction the CCNA exam tests. Both types are learned automatically from incoming frames. However, a dynamic secure MAC is stored only in the volatile MAC address table — it disappears when the switch reloads or the port bounces. A sticky MAC is automatically converted to a static entry in the running-config (switchport port-security mac-address sticky <mac>), so it persists across port resets and survives reboots when the config is saved.

3. A switch port in violation mode "restrict" detects a frame from an unauthorised MAC address. What happens?

A. The offending frames are dropped. The port stays up and continues forwarding authorised traffic. A syslog message is generated and the violation counter increments. B. The port enters err-disabled state and all traffic stops C. The offending frames are dropped silently with no logging and no counter increment D. The unauthorised MAC is added to the secure MAC list automatically

Correct answer is A. Restrict mode drops frames from the offending MAC but keeps the port operational. Authorised devices on the port are unaffected. A syslog message is generated for each violation event, an SNMP trap is sent if configured, and the violation counter increments for each dropped frame. This makes restrict ideal when you want security enforcement with visibility (logging) but cannot afford to disrupt the legitimate user.

4. A port configured with violation mode "shutdown" has just detected a violation. The port is now err-disabled. What is the correct manual recovery procedure?

A. Issue no switchport port-security to disable port security, then re-enable it B. The port recovers automatically after 5 minutes C. Remove the offending device, then issue shutdown followed by no shutdown on the interface to bring it out of err-disabled state D. Reload the switch to clear all err-disabled ports

Correct answer is C. The standard manual recovery procedure for a port-security err-disabled port is to first remove the cause (the unauthorised device), then issue shutdown then no shutdown on the interface. This bounces the port, which clears the err-disabled condition and returns it to Secure-up (assuming no violation MAC is still present). Automatic recovery can also be configured with errdisable recovery cause psecure-violation but is not the default.

5. Which violation mode provides the LEAST visibility to network administrators, and why is it considered the least secure option for production use?

A. Restrict — because the port stays up B. Protect — because it drops frames silently with no syslog messages, no SNMP traps, and no violation counter increment. Administrators have no way to know violations are occurring. C. Shutdown — because the port goes down, hiding the violation D. All three modes provide equal visibility

Correct answer is B. Protect mode is the "silent" violation mode. It drops frames from unauthorised MACs but generates no syslog messages, sends no SNMP traps, and does not increment the violation counter. From an administrator's perspective, violations are completely invisible unless you manually inspect the port-security table and happen to notice something unusual. This is the key weakness of protect mode — security events go undetected. Restrict and shutdown both generate alerts.

6. A switch port has port security enabled with sticky MAC and maximum set to 1. The authorised PC is replaced with a new PC that has a different MAC address. The sticky entry still exists in the running-config. What occurs?

A. The sticky entry updates automatically to the new MAC address B. The port learns both MAC addresses and the maximum increments to 2 C. The port ignores the new MAC and allows traffic from it without a violation D. A violation is triggered. The new PC's MAC does not match the locked sticky entry, and the maximum (1) is already reached by the existing sticky entry. The violation action (shutdown/restrict/protect) is applied.

Correct answer is D. Once a sticky MAC is learned and the maximum is reached, any new MAC arriving on the port triggers a violation. The switch compares the incoming source MAC against the secure MAC list — the new PC's MAC is not in the list, and there is no room to add it (maximum = 1). To allow the new PC, the administrator must remove the old sticky entry: no switchport port-security mac-address sticky <old-mac>, or clear all port security on that port and let it re-learn.

7. An administrator configures port security on Fa0/1 but receives the error: "Command rejected: FastEthernet0/1 is a trunk port." What is the cause and the fix?

A. Port security only works on access ports. The port must first be set to access mode with switchport mode access before port security can be enabled. B. Port security requires a specific IOS feature license that is not installed C. Port security is not supported on FastEthernet — only GigabitEthernet interfaces D. The VLAN must be created first before port security can be applied

Correct answer is A. Port security is only supported on access-mode ports. If a port is in trunk mode (either manually or via DTP negotiation), the switchport port-security command is rejected. The fix is to first configure the port as an access port: switchport mode access, then apply port security. Port security works on any speed interface (FastEthernet, GigabitEthernet, etc.) as long as it is in access mode.

8. What does the "Security Violation Count" field in the output of `show port-security interface` represent, and which violation mode does NOT increment it?

A. It counts the number of secure MACs configured; shutdown mode does not increment it B. It counts total frames received on the port; restrict mode does not increment it C. It counts the number of violation events on the port. Protect mode does NOT increment this counter — violations are silently dropped with no record. D. It counts MAC address aging events; no violation mode affects it

Correct answer is C. The Security Violation Count is incremented each time a violation event occurs on the port. In shutdown mode it increments by 1 (then the port goes down). In restrict mode it increments for each individual offending frame dropped. In protect mode, violations are dropped silently and the counter is NEVER incremented — making it impossible to detect violations through normal monitoring. This is a key CCNA exam differentiator between restrict and protect.

9. A port is configured with port security maximum 2 and sticky MAC. An IP phone (MAC: 00:11:22:33:44:55) and a PC (MAC: AA:BB:CC:DD:EE:FF) are both connected. The administrator saves the running-config. The switch then reloads. What happens to the port after reload?

A. Both sticky entries are lost; the port re-learns two new MACs from scratch B. Both sticky entries are preserved in startup-config. After reload, the port loads both sticky MACs as static secure entries. When the phone and PC reconnect, their MACs match the entries and the port comes up as Secure-up with no violation. C. The port security configuration is reset to default after every reload regardless of saving D. Only one sticky MAC survives the reload — the most recently learned

Correct answer is B. When sticky MAC is enabled and the running-config is saved (copy running-config startup-config), the sticky entries are written to startup-config as static switchport port-security mac-address sticky <mac> lines. On reload, the startup-config is loaded, restoring both sticky entries. When the phone and PC reconnect with their original MACs, the switch recognises them as matching the secured entries and the port operates normally. This is the primary advantage of sticky over dynamic MAC.

10. An administrator runs `show port-security` and sees a port with "Security Violation Count: 0" and "Port Status: Secure-up" but suspects unauthorised access attempts are occurring. Which violation mode would explain why violations are not being recorded, and what should the administrator do?

A. Shutdown mode — the port should be in err-disabled if violations occurred B. Restrict mode — restrict never increments the counter C. There is no violation mode that hides violations — a zero count means no violations have occurred D. Protect mode — it drops frames silently with no syslog, no SNMP trap, and no counter increment. The administrator should change the violation mode to restrict or shutdown to gain visibility, and review syslog for any historical port-security messages.

Correct answer is D. This scenario describes the classic pitfall of protect mode. Because protect silently discards offending frames without logging or counter increments, a zero violation count does not guarantee no violations occurred — it could simply mean protect mode is hiding them. Restrict and shutdown both generate syslog messages and increment the counter, making them far more suitable for environments where security monitoring is important. The fix is to change the violation mode to restrict (port stays up, starts logging) or shutdown (port goes down on next violation, triggering an alert). See: Violation Modes – Full Guide

← Back to Home

Port Security – Concepts & Overview

1. What Is Port Security and Why Does It Matter?

2. How MAC Address Learning Works on a Switch

The MAC Flooding Attack

3. Port Security Prerequisites and Restrictions

4. Types of Secure MAC Addresses

Which Type Should You Use?

5. Maximum MAC Address Limit

6. Sticky MAC — Automatic Secure Learning

How Sticky Learning Works

Sticky MAC — What Happens When the Device Changes

7. Violation Modes

7.1 Shutdown Mode (Default)

7.2 Restrict Mode

7.3 Protect Mode

Violation Mode Comparison

8. Full Port Security Configuration

8.1 Minimum Configuration (defaults used)

8.2 Full Configuration with Sticky MAC and Custom Violation Mode

8.3 Configuration with a Static MAC Address

8.4 Configuring Multiple Ports at Once (interface range)

9. Err-Disabled State and Recovery

Manual Recovery

Automatic Errdisable Recovery

10. Verification and Monitoring Commands

Key Output Fields to Know

11. Securing Unused Ports

12. Port Security MAC Aging

13. Port Security Summary — Key Facts

14. Port Security Quiz

1. What is the default violation mode and default maximum MAC address limit when port security is first enabled on a Cisco switch port?

2. What is the key difference between a sticky MAC address and a dynamic secure MAC address?

3. A switch port in violation mode "restrict" detects a frame from an unauthorised MAC address. What happens?

4. A port configured with violation mode "shutdown" has just detected a violation. The port is now err-disabled. What is the correct manual recovery procedure?

5. Which violation mode provides the LEAST visibility to network administrators, and why is it considered the least secure option for production use?

6. A switch port has port security enabled with sticky MAC and maximum set to 1. The authorised PC is replaced with a new PC that has a different MAC address. The sticky entry still exists in the running-config. What occurs?

7. An administrator configures port security on Fa0/1 but receives the error: "Command rejected: FastEthernet0/1 is a trunk port." What is the cause and the fix?

8. What does the "Security Violation Count" field in the output of show port-security interface represent, and which violation mode does NOT increment it?

9. A port is configured with port security maximum 2 and sticky MAC. An IP phone (MAC: 00:11:22:33:44:55) and a PC (MAC: AA:BB:CC:DD:EE:FF) are both connected. The administrator saves the running-config. The switch then reloads. What happens to the port after reload?

10. An administrator runs show port-security and sees a port with "Security Violation Count: 0" and "Port Status: Secure-up" but suspects unauthorised access attempts are occurring. Which violation mode would explain why violations are not being recorded, and what should the administrator do?

8. What does the "Security Violation Count" field in the output of `show port-security interface` represent, and which violation mode does NOT increment it?

10. An administrator runs `show port-security` and sees a port with "Security Violation Count: 0" and "Port Status: Secure-up" but suspects unauthorised access attempts are occurring. Which violation mode would explain why violations are not being recorded, and what should the administrator do?