Catalyst switch port security is so often recommended. This is because of a couple of important points:

  • There are many attacks that are simple to carry out at Layer 2
  • There tends to be a gross lack of security at Layer 2
  • Port Security can guard against so many different types of attacks such as MAC flooding, MAC spoofing, and rouge DHCP and APs, just to name a few

I find when it comes to port security, however, many students cannot seem to remember two main points:

  1. What in the world is Sticky Learning and how does it work?
  2. What is the difference between the different violation modes and how can I remember them?

Sticky Learning

Sticky learning is a convenient way to set static MAC address mappings for MAC addresses that you allow on your network. What you do is confirm that the correct devices are connected. You then turn on sticky learning and the port security feature itself, for example:

switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security

Now what happens is the 2 MAC addresses for the two devices you trust (perhaps an IP Phone and a PC) are dynamically learned by the switch. The switch now automatically writes static port security entries in the running configuration for those two devices. All you have to do is save the running configuration, and poof, you are now configured with the powerful static MAC port security feature.

Please note that it is easy to forget to actually turn on port security after setting the parameters. This is what the third line is doing in the configuration above. Always use your show port-security commands to confirm you remembered this important step of the process!

Violation Modes

The violation modes are Shutdown, Protect, and Restrict. Shutdown is the default and the most severe. If there is a violation, the port is error-disabled and notifications are sent (SNMP traps can be used and violation counters are incremented, etc.). With Restrict mode, the bad MAC cannot communicate on the port, but the port does not error-disable. There are notifications sent. With the Protect mode, the bad MAC cannot communicate and there is no eror-disabling, but the problem is, there are no notfications sent. Cisco does not recommend this mode as a result.

How can you remember these easily? Just think of the alphabet. P the R then S gives you the levels of severity. :-)

Where do you find these features documented should you still forget? – Support – Configure – Products – Switches – LAN Switches – Access – 3560 Series - Configuration Guides – Software Configuration Guides – Latest Release – Configuring Port-Based Traffic Control

You can leave a response, or trackback from your own site.

2 Responses to “Catalyst Switch Port Security Basics”

  1. Jochen Bartl says:

    I’ve recently discovered that the shutdown mode also has the optional keyword “vlan”. Which shuts down either the voice vlan or the access vlan, depending on which one the violation has occured.

    (config-if)#switchport port-security violation shutdown vlan

    This allows you to give the users at least a chance to call the helpdesk if the violation has occurred on the access vlan, because it doesn’t shutdown the whole port ;-)

    Best Regards,


  2. Amit jayaprakash says:


    i love reading your posts…its Awesome.
    simple and to the point…:-)


Leave a Reply


CCIE Bloggers