CCNA 200-301: Implementing Switch Port Security

Why Port Security Matters and Where It Fits

Switch port security is a basic but useful access-layer control on supported Cisco Catalyst switches and IOS/IOS XE platforms. Its job is simple: limit which source MAC addresses are allowed on a Layer 2 switchport. In real networks, that helps reduce casual unauthorized connections, rogue mini-switches, and endpoint sprawl on ports that are supposed to serve known devices.

For CCNA, think of port security primarily as an access-port feature used on static access ports. Some Cisco platforms also support it in certain statically configured trunk scenarios, but that is not the main enterprise edge design pattern and not the primary exam focus. Also, port security applies to Layer 2 switchports only. If an interface is configured as a routed port with no switchport, port security does not apply.

Just keep the security positioning realistic: port security is not NAC, does not authenticate users, and does not stop MAC spoofing. A device can fake a source MAC address. So, putting it simply, port security is more like a basic guardrail than a real identity check. It’ll catch the accidental stuff and the casual misuse pretty well, but it doesn’t prove the device on the other end is actually the one you expected. Now, in more mature environments, I’d usually reach for 802.1X instead because it’s the stronger access-control choice. That said, port security still earns its keep when you just need something simple, built into IOS, and effective at the edge.

How Port Security Works

A switch normally learns source MAC addresses in the MAC address table, often discussed as CAM-based forwarding behavior. Port security adds a separate security policy on top of that forwarding process by tracking secure MAC addresses allowed on an interface. Forwarding still depends on the MAC address table, but port security independently decides whether the source MAC should be accepted on that port.

If a frame arrives from an allowed secure MAC, traffic is forwarded normally. If a frame shows up from a MAC address that goes over the limit or isn’t allowed on that port, the switch flags it as a violation. That’s the basic trigger point. In show port-security interface, you may see a port status of secure-up. That is a Cisco port-security operational status value, not a generic networking term. It means the port is up and operating normally under port-security enforcement.

Prerequisites and Deployment Checklist

Before configuring port security, verify these basics:

• The interface is a Layer 2 switchport, not no switchport.
• The port is intentionally configured, usually with switchport mode access.
• The correct access VLAN is assigned.
• If an IP phone is present, decide whether a voice VLAN is needed.
• The maximum secure MAC count matches the real endpoint design.
• The violation mode matches business impact: protect, restrict, or shutdown.
• You know whether the port should use static, dynamic, or sticky secure MAC learning.
• Edge protections such as PortFast and BPDU Guard are added where appropriate.

A pretty typical hardened edge setup looks something like this:

interface GigabitEthernet1/0/10 switchport mode access switchport access vlan 10 switchport nonegotiate switchport port-security switchport port-security maximum 1 switchport port-security violation restrict switchport port-security mac-address sticky spanning-tree portfast spanning-tree bpduguard enable

switchport nonegotiate is optional and platform/design dependent, but it is commonly used to disable DTP on manually configured ports. PortFast should be used only on true edge ports, and BPDU Guard is what protects that edge port if any BPDU is received.

Secure MAC Types: Static, Dynamic, and Sticky

There are three secure MAC approaches you need to know:

• Static secure MAC: manually configured on the interface. In my experience, this is the sweet spot for fixed devices like kiosks or POS terminals that aren’t supposed to move.
• Secure dynamic MAC: learned automatically by port security but not written into the running configuration. Lost after reload.
• Secure sticky MAC: learned dynamically, then written into the running configuration after traffic is seen from the device. It survives reload only if you save the config.

That last point matters. Sticky learning doesn’t just happen the second you type the command. First, the device has to actually send some traffic. Then the switch learns the MAC address first, and after that it writes the sticky entry into the running configuration. If you want that to stick around after a reload, you’ve got to save the configuration:

copy running-config startup-config

From an operations standpoint, sticky is really popular because it cuts down on manual work. The catch is that it can also capture the wrong device if learning happens during staging, a desk move, or one of those messy maintenance windows we all know too well.

Violation Modes: Protect, Restrict, and Shutdown

The violation mode is basically the switch’s reaction plan when an unauthorized MAC shows up:

• Protect: drops unauthorized frames, keeps the port up, and usually provides limited visibility compared with restrict. On many platforms it does not increment the security violation counter the same way restrict and shutdown do, and it does not generate the same syslog or SNMP behavior.
• Restrict: drops unauthorized frames, keeps the port up, increments the violation counter, and may generate system log messages or SNMP traps if supported and configured.
• Shutdown: default mode. The port is placed into err-disabled due to the security violation.

For CCNA, remember the default is shutdown. In production, restrict is often easier to support because it gives you evidence without taking the port down. shutdown is the stronger fail-closed choice for tightly controlled ports.

Maximum MAC Count and Real-World Design

The default maximum secure MAC count is typically 1 on Cisco IOS port-security implementations, though you should always verify platform behavior. That default works well for a single desktop port, but not every edge port is truly one MAC.

Examples:

• Desktop-only port: usually 1
• Phone + PC: start with 2, then validate actual observed MAC count
• Kiosk or POS: usually 1 with static MAC
• Shared desk or dock: often 1 or 2, depending on device behavior
• Lab host, hypervisor, or bridged endpoint: may require more than 2

Voice VLAN designs deserve special attention. A typical phone + PC setup often needs at least two MAC addresses, but some phones, passthrough behavior, attached peripherals, or virtualization behind the phone can make the observed count higher. Do not raise the maximum just to reduce tickets. Size it to the actual design.

Aging Options and Caveats

By default, aging is disabled. If you enable it, the switch can age out secure MAC addresses after a configured time:

switchport port-security aging time 60
switchport port-security aging type inactivity

Absolute aging removes the secure MAC after the timer expires no matter what. Inactivity aging removes it only if the MAC has been idle for the configured interval. Aging is most useful in labs, classrooms, or hot-desk spaces. It is usually a poor fit for tightly controlled ports where persistence matters.

Behavior can vary by platform and secure MAC type. Aging is most relevant to dynamically learned secure MACs and, on some platforms, sticky entries depending on configuration and support. Static secure MAC handling differs. If you use aging, document it clearly so it does not look like random failure later.

Configuration Examples

Basic single-user port:

interface GigabitEthernet1/0/10 switchport mode access switchport access vlan 10 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown spanning-tree portfast spanning-tree bpduguard enable

Sticky learning on a user desk:

interface GigabitEthernet1/0/11 switchport mode access switchport access vlan 10 switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security violation restrict spanning-tree portfast spanning-tree bpduguard enable

After the endpoint sends traffic, save the learned sticky MAC:

copy running-config startup-config

Phone + PC on one port:

interface GigabitEthernet1/0/12 switchport mode access switchport access vlan 20 switchport voice vlan 30 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict spanning-tree portfast spanning-tree bpduguard enable

Static secure MAC for a fixed device:

interface GigabitEthernet1/0/13 switchport mode access switchport access vlan 40 switchport port-security switchport port-security maximum 1 switchport port-security mac-address 00aa.bbcc.ddee switchport port-security violation shutdown

Verification Workflow

Don’t just guess your way through it — use a structured sequence:

1. show interfaces status — confirms whether the port is connected or err-disabled.
2. show interfaces gi1/0/10 switchport — confirms the interface is a switchport and shows access and voice VLAN details.
3. show port-security — high-level summary of protected ports, counts, and actions.
4. show port-security interface gi1/0/10 — detailed status, mode, maximum, sticky count, and violations.
5. show port-security address — best command for viewing secure MAC addresses and their types.
6. show running-config interface gi1/0/10 — confirms sticky or static entries in config.
7. show mac address-table interface gi1/0/10 — useful for forwarding context, but not the best source for secure MAC type.
8. show logging | include SECURE|PORT_SECURITY|PSECURE — checks violation messages in the device logs.

Example detailed output:

Switch# show port-security interface gi1/0/10
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Security Violation Count : 0

And the most useful secure-address view:

Switch# show port-security address
Secure Mac Address Table
Vlan Mac Address Type Ports Remaining Age
10 0011.2233.4455 SecureSticky Gi1/0/10 -
40 00aa.bbcc.ddee SecureConfigured Gi1/0/13 -

Exact formatting varies by platform, but this command is more reliable than relying only on generic MAC table labels such as STATIC or DYNAMIC.

Violation, Err-Disable Recovery, and Safe Remediation

If a shutdown-mode violation occurs, the interface goes err-disabled. A user usually reports it as a dead wall jack. The right response is: verify, identify the unauthorized or stale MAC, fix the cause, then recover the port.

Manual recovery:

interface GigabitEthernet1/0/10 shutdown no shutdown

If the old sticky or static MAC still exists, clearing it may also be required before recovery:

clear port-security sticky interface gi1/0/10
no switchport port-security mac-address sticky 0011.2233.4455
no switchport port-security mac-address 00aa.bbcc.ddee

You can configure automatic recovery, but honestly, you’ve got to be careful with it:

errdisable recovery cause psecure-violation
errdisable recovery interval 300
show errdisable recovery

The interval is commonly 300 seconds unless changed. Auto-recovery is convenient, but if the root cause remains, the port can repeatedly fail and recover in a loop.

Moves, Adds, Changes, and Sticky MAC Cleanup

Port security often breaks during normal operations, not attacks. A desktop gets replaced, a user moves desks, or a dock is swapped. For sticky MAC ports, a safe workflow is:

1. Confirm the current secure MAC with show port-security address.
2. Remove or clear the old sticky entry.
3. Ensure the intended new endpoint is the only device connected.
4. Bring the port up and generate traffic from the new device.
5. Verify the new sticky MAC was learned.
6. Save the configuration.

That way, you don’t accidentally teach the switch the wrong MAC during a change window, and honestly, that’s one of those easy mistakes that can waste a lot of time.

Common Misconfigurations and Troubleshooting

• Forgot switchport mode access or left the port in dynamic mode.
• Configured port security on an unsupported or routed interface.
• Maximum MAC count set too low for phone + PC or dock behavior.
• Sticky learned the wrong endpoint during staging.
• Sticky MAC learned correctly, but config was never saved.
• Auto-recovery enabled without fixing the cause.
• Assumed port security prevents spoofing or replaces 802.1X.

Quick runbook for “user says the jack is dead”:

1. show interfaces status — is it err-disabled?
2. show port-security interface gi1/0/10 — violation count and mode?
3. show port-security address — which MAC is secured?
4. show running-config interface gi1/0/10 — stale sticky or static entry?
5. Fix the secure MAC state, then recover the port.

Security Limitations and Related Features

Port security does help control basic Layer 2 access, but it doesn’t authenticate users, check device posture, or stop someone from spoofing a MAC address. It’ll absolutely discourage casual misuse and catch surprise devices, but let’s be honest — it’s not high-assurance identity enforcement.

That’s why it works best as one layer in a broader edge design, right alongside things like DHCP Snooping, Dynamic ARP Inspection, and IP Source Guard. Each of those features tackles a different headache — rogue DHCP servers, ARP spoofing, and source validation. If your environment can support 802.1X properly, that’s usually the stronger option for user access, no question. Port security still has value in simple branches, retail, kiosks, labs, and fixed-device segments.

CCNA 200-301 Quick Facts and Exam Tips

• Port security is primarily taught for static access ports.
• It applies to Layer 2 switchports, not routed ports.
• Default violation mode: shutdown.
• Shutdown causes err-disabled.
• Default maximum is typically 1.
• Aging is disabled by default.
• Sticky MAC is learned dynamically and written to the running config after traffic is seen.
• Sticky survives reload only if the config is saved.
• Restrict drops traffic and increments violation counters; protect is quieter.
• Phone + PC ports usually need more than one secure MAC.

Three exam-style traps show up all the time:

• A port goes err-disabled after a PC replacement: old sticky or static MAC no longer matches.
• A user cannot connect but the port stays up: likely protect or restrict mode dropping unauthorized traffic.
• Sticky MAC disappeared after reboot: config was not saved.

Memorize the defaults, but focus on behavior. If you can explain why a port is secure-up, why shutdown causes err-disable, and why show port-security address is more useful than only show mac address-table, you are in good shape for both the exam and real troubleshooting.

Conclusion

Cisco switch port security is a straightforward but valuable access-layer control when used in the right place. So, the real takeaway is this: put it on the right Layer 2 edge ports, size the maximum MAC count to match the actual endpoint design, pick the right violation mode, verify everything with the right show commands, and handle sticky or static entries carefully when devices get moved or replaced. And for CCNA, that mix of configuration, verification, and troubleshooting is what really matters most.