How to configure port-security on Cisco Switch

This topic is to discuss the following lesson:

Hi, your lessons are very interesting. Thank’s.

Hi Rene, thanks for the lessons. Very interesting and informative - keep up the good work :slight_smile:

Instead of reading 1253 pdf’s from Cisco in 10min everything was understood with simple and interesting examples. Gongratulations René, here it is a very useful lesson.

Thanks LuĂ­s! Glad to hear it was useful to you.

Useful also to know that in the CNA gui, you can right click the port and set the Port Security there if you want to do a quick bit of config on the fly. Thanks

Thanks - nice tutorial and I just applied it to one port on our switch!

wonderfull tutorial, U’r my angel switch, but can Catalyst 2960 Series work this tutorial?

Sure, even the 2950 will work.

Hi Rene, I have a strange problem related to your post. We have a unmananged switch connected to a managed switch port. That port is configured as follows:

 description Conference Room
 switchport access vlan 43
 switchport mode access
 switchport port-security maximum 16
 switchport port-security
 authentication host-mode multi-host
 authentication port-control auto
 dot1x pae authenticator
 dot1x timeout quiet-period 20
 dot1x timeout tx-period 10
 spanning-tree bpduguard enable

If a user connects to this switch and then unplugs (not Logoff), goes to their desk and plugs in, their port is Err-disabled. I have to shut the port on the conference room and then shut and no shut their port. After that all is well. What can I do to prevent me having to shut the port the conference room unmanaged switch is in?

Thank you,

Kevin Martin

rene u r great!!!wat a explanation…

Try this on the conference room interface.
switchport port-security aging time 300

In 5 minutes, it should reset.


To avoid having to manually intervene every time a port-security violation forces an interface into the error-disabled state, one can enable auto-recovery for port security violations. A recovery interval is configured in seconds.

Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 600

Ten minutes after a port was error-disabled, we can see that the port is automatically transitioned back into operation:

Hi Rene,

It is normal for companies to have an unmanage linksys switches or other brand connected to a Cisco switch, I had this issue on one company I was working because everytime they connect an unmanage switch a lot of users will loose connectivity then I removed bpduguard and configured port-security allowing only 10 mac addresses and we haven’t had that issue. I noticed that bpdguard will bring the port into err-disable. Please advise if this is correct.


Hi Alfredo,

It depends…in a SMB environment, you can encounter anything. I’ve seen Cisco switches with a combination of any other vendor switch. Sometimes users bring their own stuff and connect it to the network.

In larger (enterprise) networks they typically spend some more time at network design and more money on hardware. You won’t see cheap unmanaged switches there…

BPDUguard will put your interface in err-disable if it receives a BPDU on the interface. Some unmanaged switches might still send these so that could cause the interface to go down. Here’s an example btw:

Typically port-security is only used on access interfaces that connect computers, laptops or IP phones. You can set it to 1 MAC address for computers or two if there’s an IP phone with a computer behind it.


Hi Rene,

This sound silly but i want know how you can ping from the IOS command line with a packet tracer instead of the command prompt?.

Hi Peter,

What exactly do you mean? Do you want to use a GUI instead of the command line or something like traceroute?


Hi Rene,

Sorry is a mistake.


Nice & very informative . Keep it up :slight_smile:

Hi Rene

I do not understand what this command (errdisable recovery cause psecure-violation) exactly used for?
Does the switch port recovers itself from err-disabled mode if we set the aging time to say 10 minutes instead of the default 0 minutes.