How to configure Port Security (mac sticky) on Cisco Switches

Port Security is enabled per port and the switch port will only allow traffic from the learned MAC address to be forwarded.

In our example below we will set a maximum of one MAC address to be dynamically learned and in the event of a violation the port will shutdown.

Port Security mac sticky
Port Security mac sticky

SW1(config-if)#switchport port-security ?
  aging        Port-security aging commands
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode
  <cr>
SW1(config-if)#switchport port-security
!
SW1(config-if)#switchport port-security mac-address ?
  H.H.H      48 bit mac address
  forbidden  Configure mac address as forbidden on this interface
  sticky     Configure dynamic secure addresses as sticky
SW1(config-if)#switchport port-security mac-address sticky
!
SW1(config-if)#switchport port-security maximum ?
  <1-4097>  Maximum addresses
SW1(config-if)#switchport port-security maximum 1
!
SW1(config-if)#switchport port-security violation ?
  protect   Security violation protect mode
  restrict  Security violation restrict mode
  shutdown  Security violation shutdown mode
SW1(config-if)#switchport port-security violation shutdown

Protect – Will drop traffic and NOT send SNMP messages.
Restrict – Will drop traffic and WILL send SNMP messages.
Shutdown – Will SHUT the port and Will send SNMP messages.

Verifications

SW1#show run int gi0/1
Building configuration...
Current configuration : 226 bytes
!
interface GigabitEthernet0/1
 switchport mode access
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0050.7966.6800
 switchport port-security
 media-type rj45
 negotiation auto
end
!
!
SW1#show run int gi0/2
Building configuration...
Current configuration : 226 bytes
!
interface GigabitEthernet0/2
 switchport mode access
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0050.7966.6801
 switchport port-security
 media-type rj45
 negotiation auto
end
!
!
SW1#show port-security 
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi0/1              1            1                  0         Shutdown
      Gi0/2              1            1                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096
!
!
SW1#show port-security address 
               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan    Mac Address       Type                          Ports   Remaining Age
                                                                   (mins)    
----    -----------       ----                          -----   -------------
   1    0050.7966.6800    SecureSticky                  Gi0/1        -
   1    0050.7966.6801    SecureSticky                  Gi0/2        -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096
!
!
SW1#show mac address-table 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0050.7966.6800    STATIC      Gi0/1 
   1    0050.7966.6801    STATIC      Gi0/2 
Total Mac Addresses for this criterion: 2

Topic discussion at CLI Warriors - Forum