How to configure port-security on Cisco Switch

Lessons Discussion
52

Hello Roger Hugues,

Article is specifically mentioning “cheap” switch, you can understand it as “dumb switch”.

  • Dumb switches are unmanaged and do not support features like STP.
  • Dumb switch is not generating any traffic by itself, well because it has no features to do so. Therefore “smart” switch can not learn switchport MAC address of this dumb (“shadow”) switch. (Switches learn MAC addresses from “Source MAC Address” fields, located in ethernet frames.)

That is right, default values are:

  • max 1 mac address
  • violation shutdown

You can check this by yourself.

Switch2(config)# interface g1/1
Switch2(config-if)# switchport port-security

These values are not shown int running-config, because default values are never shown in running-config.

Switch2(config-if)# do show run interface g1/1
Building configuration...

Current configuration : 121 bytes
!
interface GigabitEthernet1/1
 switchport mode access
 switchport port-security
 media-type rj45
 negotiation auto
end

But you can verify them by using “show port-security”

Switch2(config-if)# do show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi1/1              1            0                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

Or be more specific:

Switch2(config-if)# do show port-security interface g1/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

The rest of your post is also correct. If you negate “switchport port-security maximum 5” and “switchport port-security violation restrict” with “NO” statement in front, then it goes back to its defaults (1, shutdown).

Switch2(config-if)# switchport port-security maximum 5
Switch2(config-if)# switchport port-security violation restrict
Switch2(config-if)# do show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi1/1              5            0                  0         Restrict
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096

Negate previous commands.

Switch2(config-if)# no switchport port-security maximum 5      
Switch2(config-if)# no switchport port-security violation restrict
Switch2(config-if)# do show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi1/1              1            0                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096