Port Security is enabled per port and the switch port will only allow traffic from the learned MAC address to be forwarded.
In our example below we will set a maximum of one MAC address to be dynamically learned and in the event of a violation the port will shutdown.
SW1(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
SW1(config-if)#switchport port-security
!
SW1(config-if)#switchport port-security mac-address ?
H.H.H 48 bit mac address
forbidden Configure mac address as forbidden on this interface
sticky Configure dynamic secure addresses as sticky
SW1(config-if)#switchport port-security mac-address sticky
!
SW1(config-if)#switchport port-security maximum ?
<1-4097> Maximum addresses
SW1(config-if)#switchport port-security maximum 1
!
SW1(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
SW1(config-if)#switchport port-security violation shutdown
Protect – Will drop traffic and NOT send SNMP messages.
Restrict – Will drop traffic and WILL send SNMP messages.
Shutdown – Will SHUT the port and Will send SNMP messages.
Verifications
SW1#show run int gi0/1
Building configuration...
Current configuration : 226 bytes
!
interface GigabitEthernet0/1
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.7966.6800
switchport port-security
media-type rj45
negotiation auto
end
!
!
SW1#show run int gi0/2
Building configuration...
Current configuration : 226 bytes
!
interface GigabitEthernet0/2
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.7966.6801
switchport port-security
media-type rj45
negotiation auto
end
!
!
SW1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/1 1 1 0 Shutdown
Gi0/2 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
!
!
SW1#show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0050.7966.6800 SecureSticky Gi0/1 -
1 0050.7966.6801 SecureSticky Gi0/2 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
!
!
SW1#show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0050.7966.6800 STATIC Gi0/1
1 0050.7966.6801 STATIC Gi0/2
Total Mac Addresses for this criterion: 2
Topic discussion at CLI Warriors - Forum