{"id":169476,"date":"2026-06-22T15:10:26","date_gmt":"2026-06-22T12:10:26","guid":{"rendered":"https:\/\/computingforgeeks.com\/?p=169476"},"modified":"2026-06-22T15:10:26","modified_gmt":"2026-06-22T12:10:26","slug":"cisco-port-security-configuration","status":"publish","type":"post","link":"https:\/\/computingforgeeks.com\/cisco-port-security-configuration\/","title":{"rendered":"Cisco Port Security: Configure Sticky MACs and Violations"},"content":{"rendered":"<p>A switch port with nothing plugged into it is still a live network jack. Anyone who can reach it, a visitor in a meeting room, a contractor at an empty desk, can connect a laptop or a small unmanaged <a href=\"https:\/\/computingforgeeks.com\/network-devices-routers-switches-firewalls-explained\/\">switch<\/a> and land directly on your LAN. Cisco port security is the Layer 2 control that closes that door. It ties an access port to the specific MAC addresses allowed to use it, and shuts the port down the moment an unexpected device appears.<\/p>\n\n<p>This guide configures port security on a real switch, learns a host MAC with sticky learning, then plugs a different device into the same jack to trip a genuine violation. Every <code>show port-security<\/code> output and the err-disabled state below came off a live Cisco IOS switch, not a textbook.<\/p>\n\n<p><em>Built and broke this on a Cisco IOS 15.2 switch in June 2026.<\/em><\/p>\n\n<h2>How port security works<\/h2>\n\n<p>Port security runs per access port. You tell the switch how many MAC addresses the port may use (the maximum), which addresses count as secure, and what to do when a frame arrives from any other address. Until the limit is reached the switch learns and forwards normally. Once it is reached, any new source MAC is a violation.<\/p>\n\n<p>A secure MAC address gets onto the port in one of three ways, and the difference is where the address is stored.<\/p>\n\n<ul>\n<li><strong>Static<\/strong>: you type the address into the config with <code>switchport port-security mac-address H.H.H<\/code>. It lives in the running-config and survives a reboot once saved.<\/li>\n<li><strong>Dynamic<\/strong>: the switch learns it from traffic and keeps it in the address table only. It is lost on reload or when the port goes down, so you start over each time.<\/li>\n<li><strong>Sticky<\/strong>: the switch learns it dynamically but writes it into the running-config, so it behaves like a static entry without you typing each MAC. Save the config and it persists. This is the usual choice for an access port with one known device.<\/li>\n<\/ul>\n\n<p>The maximum defaults to one. For a desk where an IP phone passes through to a PC you raise it to two or three, but for a single workstation the default of one is exactly what you want.<\/p>\n\n<h2>Violation modes<\/h2>\n\n<p>When traffic from an unauthorized MAC hits a secured port, the violation mode decides the response. There are three, and they differ in whether the port keeps forwarding and whether you ever hear about it.<\/p>\n\n<table>\n<thead><tr><th>Mode<\/th><th>Drops bad traffic<\/th><th>Syslog \/ SNMP<\/th><th>Violation counter<\/th><th>Port state<\/th><\/tr><\/thead>\n<tbody>\n<tr><td><strong>protect<\/strong><\/td><td>Yes<\/td><td>No<\/td><td>Does not increment<\/td><td>Stays up, silent<\/td><\/tr>\n<tr><td><strong>restrict<\/strong><\/td><td>Yes<\/td><td>Yes<\/td><td>Increments<\/td><td>Stays up, logged<\/td><\/tr>\n<tr><td><strong>shutdown<\/strong> (default)<\/td><td>Yes<\/td><td>Yes<\/td><td>Increments<\/td><td>err-disabled, port down<\/td><\/tr>\n<\/tbody>\n<\/table>\n\n<p>Shutdown is the default and the safest stance: a violated port stops passing any traffic until an administrator looks at it, so an attacker gains nothing and you get a log entry. Restrict is for ports where downtime is costly but you still want the alert. Protect is rarely the right call, because it hides the event entirely.<\/p>\n\n<h2>The lab topology<\/h2>\n\n<p>The lab is one switch and one host. SW1 has an access port, Gi0\/1, in a <a href=\"https:\/\/computingforgeeks.com\/cisco-vlans-configuration-guide\/\">VLAN<\/a> with a switched virtual interface at 192.168.10.1 so the host has something to ping. Port security on Gi0\/1 allows a single sticky MAC. The authorized PC learns its place on the port; an unknown laptop on the same jack is what trips the violation.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1340\" height=\"700\" src=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/port-security-topo.png\" alt=\"Topology of Cisco port security on SW1 Gi0\/1: authorized sticky MAC forwarded, unknown MAC trips a violation and err-disables the port\" class=\"wp-image-169472\" title=\"\" srcset=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/port-security-topo.png 1340w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/port-security-topo-300x157.png 300w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/port-security-topo-1024x535.png 1024w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/port-security-topo-768x401.png 768w\" sizes=\"auto, (max-width: 1340px) 100vw, 1340px\" \/><\/figure>\n\n\n<p>The same two nodes built in GNS3, where the configuration below was applied and tested on real Cisco IOS:<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1040\" height=\"520\" src=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/port-security-gns3.png\" alt=\"GNS3 canvas showing PC1 connected to SW1 Gi0\/1 for the Cisco port security lab\" class=\"wp-image-169473\" title=\"\" srcset=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/port-security-gns3.png 1040w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/port-security-gns3-300x150.png 300w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/port-security-gns3-1024x512.png 1024w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/port-security-gns3-768x384.png 768w\" sizes=\"auto, (max-width: 1040px) 100vw, 1040px\" \/><\/figure>\n\n\n<p>With the host wired to Gi0\/1, secure the port.<\/p>\n\n<h2>Configure port security on an access port<\/h2>\n\n<p>Port security only applies to a port that is statically an access or trunk port, never one left on dynamic (auto) negotiation. Set the mode first, then enable port security and pick sticky learning with a shutdown response:<\/p>\n\n\n<pre class=\"wp-block-code code\"><code>interface GigabitEthernet0\/1\n switchport mode access\n switchport port-security\n switchport port-security maximum 1\n switchport port-security mac-address sticky\n switchport port-security violation shutdown\n exit<\/code><\/pre>\n\n\n<p>The <code>maximum 1<\/code> and <code>violation shutdown<\/code> lines are written out here for clarity, but both match the IOS defaults, so the switch will not actually store them in the running-config. The first frame the port sees is learned as the sticky secure address, and from then on it is the only MAC allowed.<\/p>\n\n<h2>Verify the secure port<\/h2>\n\n<p>After the host sends its first frame, <code>show port-security interface<\/code> is the command that tells you everything: whether the port is secure and up, how it will react to a violation, the maximum, and how many addresses it has learned.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1104\" src=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-sticky.png\" alt=\"Cisco IOS show port-security interface output: Secure-up, one sticky MAC 0050.7966.6801 learned on Gi0\/1, zero violations\" class=\"wp-image-169474\" title=\"\" srcset=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-sticky.png 2560w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-sticky-300x129.png 300w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-sticky-1024x442.png 1024w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-sticky-768x331.png 768w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-sticky-1536x662.png 1536w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-sticky-2048x883.png 2048w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><\/figure>\n\n\n<p>The port status is Secure-up, one sticky MAC has been learned, and the violation count is zero. The <code>show port-security address<\/code> table confirms the learned address is type SecureSticky on Gi0\/1. The proof that sticky did its job is in the running-config, where the switch has written the learned MAC as a permanent line:<\/p>\n\n\n<pre class=\"wp-block-code code\"><code>interface GigabitEthernet0\/1\n switchport mode access\n switchport port-security mac-address sticky\n switchport port-security mac-address sticky 0050.7966.6801\n switchport port-security<\/code><\/pre>\n\n\n<p>That second sticky line was not typed by hand. The switch learned 0050.7966.6801 from the host and saved it. Run <code>write memory<\/code> and the address survives a reload, so the legitimate device keeps its port and nothing else can take it.<\/p>\n\n<h2>Trigger and confirm a violation<\/h2>\n\n<p>Now the real test. The authorized MAC is locked to Gi0\/1, so we unplug that host and connect a different laptop to the same jack. Its MAC, 0050.7966.68ff, is not the secure address, and the maximum of one is already used. The instant it sends a frame, the switch acts:<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"920\" src=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-violation.png\" alt=\"Cisco IOS show port-security interface after a violation: Secure-shutdown, last source 0050.7966.68ff, violation count 1, port err-disabled\" class=\"wp-image-169475\" title=\"\" srcset=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-violation.png 2560w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-violation-300x108.png 300w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-violation-1024x368.png 1024w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-violation-768x276.png 768w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-violation-1536x552.png 1536w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-ps-violation-2048x736.png 2048w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><\/figure>\n\n\n<p>The port status flips to Secure-shutdown, the violation counter reads 1, and the last source address is the intruder&#8217;s MAC, caught and recorded. The companion <code>show interface status<\/code> shows the port as err-disabled, which is IOS for &#8220;shut down by a protection feature, not by an administrator&#8221;. The laptop&#8217;s ping to the gateway returns nothing, a clean zero percent success rate, because the port stopped forwarding the moment the violation fired.<\/p>\n\n<h2>Recover an err-disabled port<\/h2>\n\n<p>An err-disabled port does not come back on its own by default. Bouncing it with shutdown then no shutdown re-enables it, but clear the cause first, reconnect the authorized device or remove the offending one. Skip that and the port comes straight back up and violates again on the very next frame:<\/p>\n\n\n<pre class=\"wp-block-code code\"><code>interface GigabitEthernet0\/1\n shutdown\n no shutdown\n exit<\/code><\/pre>\n\n\n<p>If you would rather the switch recover ports automatically after a cool-off period, enable error-disable recovery for the port-security cause and set an interval, anything from 30 to 86400 seconds. The recovery state is its own command, and on a fresh switch every cause is disabled:<\/p>\n\n\n<pre class=\"wp-block-code code\"><code>errdisable recovery cause psecure-violation\nerrdisable recovery interval 300<\/code><\/pre>\n\n\n<p>With that set, the switch re-enables the port 300 seconds after a violation. Use it with care. If the unauthorized device is still attached, the port will violate, recover, and violate again on a loop, so automatic recovery is a convenience for transient mistakes, not a substitute for fixing the real cause.<\/p>\n\n<h2>Practice Cisco port security<\/h2>\n\n<p>Run the questions to lock in the secure MAC types, the three violation modes, and how to read a violated port, then use the flashcards for quick recall.<\/p>\n\n<div class=\"cfg-quiz\" data-quiz=\"{\n  &quot;id&quot;: &quot;port-security&quot;,\n  &quot;title&quot;: &quot;Cisco port security quiz&quot;,\n  &quot;objective&quot;: &quot;Configure and verify port security (5.7)&quot;,\n  &quot;intro&quot;: &quot;Ten questions on Cisco port security: secure MAC types, the default maximum, the three violation modes, the err-disabled state, and recovery. Each answer has a written explanation.&quot;,\n  &quot;questions&quot;: [\n    {&quot;q&quot;: &quot;Port security identifies a device by which field in incoming frames?&quot;, &quot;options&quot;: [&quot;Source IP address&quot;, &quot;Source MAC address&quot;, &quot;Destination MAC address&quot;, &quot;VLAN ID&quot;], &quot;answer&quot;: 1, &quot;explanation&quot;: &quot;Port security is a Layer 2 control that ties a port to specific source MAC addresses. Because it matches on MAC, a spoofed MAC can defeat it, which is why it is one layer and not the whole defense.&quot;, &quot;validated&quot;: &quot;doc&quot;},\n    {&quot;type&quot;: &quot;numeric&quot;, &quot;q&quot;: &quot;By default, how many secure MAC addresses does a port-security-enabled port allow? Type the number.&quot;, &quot;answer&quot;: &quot;1&quot;, &quot;hint&quot;: &quot;IOS does not even print this line in the running-config, because it is the default.&quot;, &quot;placeholder&quot;: &quot;e.g. 2&quot;, &quot;explanation&quot;: &quot;The default maximum is 1. Raise it to 2 or 3 for a desk where an IP phone passes through to a PC, but a single workstation needs only the default.&quot;, &quot;validated&quot;: &quot;lab&quot;},\n    {&quot;q&quot;: &quot;What is the default port security violation mode?&quot;, &quot;options&quot;: [&quot;protect&quot;, &quot;restrict&quot;, &quot;shutdown&quot;, &quot;disable&quot;], &quot;answer&quot;: 2, &quot;explanation&quot;: &quot;Shutdown is the default. On a violation the port is err-disabled and stops forwarding until an administrator recovers it, so an attacker gains nothing and you get a log entry.&quot;, &quot;validated&quot;: &quot;lab&quot;},\n    {&quot;q&quot;: &quot;What does a sticky secure MAC address do?&quot;, &quot;options&quot;: [&quot;It is typed in by hand and never changes&quot;, &quot;It is learned dynamically and written into the running-config&quot;, &quot;It is learned dynamically and lost on every reload&quot;, &quot;It blocks every MAC address on the port&quot;], &quot;answer&quot;: 1, &quot;explanation&quot;: &quot;Sticky learning takes the dynamically learned MAC and writes it into the running-config as a secure address. Save the config and it persists across reloads, giving you static behavior without typing each MAC.&quot;, &quot;validated&quot;: &quot;lab&quot;},\n    {&quot;q&quot;: &quot;How does a dynamic secure MAC differ from a sticky one?&quot;, &quot;options&quot;: [&quot;A dynamic entry is saved to the config, sticky is not&quot;, &quot;A dynamic entry is lost on reload or link-down, sticky is written to the running-config&quot;, &quot;They are identical in every way&quot;, &quot;Dynamic entries never age out&quot;], &quot;answer&quot;: 1, &quot;explanation&quot;: &quot;A dynamic secure MAC lives only in the address table and is lost on reload or when the port goes down. A sticky MAC is written into the running-config, so it survives once you save.&quot;, &quot;validated&quot;: &quot;doc&quot;},\n    {&quot;q&quot;: &quot;Which violation mode drops offending traffic but sends no log, no SNMP trap, and does not increment the violation counter?&quot;, &quot;options&quot;: [&quot;protect&quot;, &quot;restrict&quot;, &quot;shutdown&quot;, &quot;shutdown vlan&quot;], &quot;answer&quot;: 0, &quot;explanation&quot;: &quot;Protect silently drops frames from unauthorized MACs and tells you nothing. Restrict drops and logs, shutdown err-disables and logs. Protect is rarely the right choice because it hides the event.&quot;, &quot;validated&quot;: &quot;doc&quot;},\n    {&quot;type&quot;: &quot;multi&quot;, &quot;q&quot;: &quot;Which statements about the default shutdown violation mode are correct? Select all that apply.&quot;, &quot;options&quot;: [&quot;The port is placed in the err-disabled state&quot;, &quot;The violation counter increments&quot;, &quot;A syslog message and SNMP trap are sent&quot;, &quot;The violating frame is forwarded to its destination&quot;], &quot;answers&quot;: [0, 1, 2], &quot;explanation&quot;: &quot;Shutdown err-disables the port, increments the violation counter, and sends a syslog message and SNMP trap. The violating frame is dropped, never forwarded.&quot;, &quot;validated&quot;: &quot;lab&quot;},\n    {&quot;q&quot;: &quot;An access port has been err-disabled by a port security violation. What is the correct way to bring it back?&quot;, &quot;options&quot;: [&quot;Reload the entire switch&quot;, &quot;Remove the offending device, then shutdown and no shutdown the port&quot;, &quot;Delete the VLAN and recreate it&quot;, &quot;Disable port security globally&quot;], &quot;answer&quot;: 1, &quot;explanation&quot;: &quot;An err-disabled port does not recover on its own by default. Fix the cause first, then bounce the port with shutdown followed by no shutdown, or enable errdisable recovery for the psecure-violation cause.&quot;, &quot;validated&quot;: &quot;lab&quot;},\n    {&quot;type&quot;: &quot;match&quot;, &quot;q&quot;: &quot;Match each violation mode to its behavior.&quot;, &quot;pairs&quot;: [{&quot;left&quot;: &quot;protect&quot;, &quot;right&quot;: &quot;Drops bad traffic silently, port stays up&quot;}, {&quot;left&quot;: &quot;restrict&quot;, &quot;right&quot;: &quot;Drops bad traffic and logs it, port stays up&quot;}, {&quot;left&quot;: &quot;shutdown&quot;, &quot;right&quot;: &quot;Err-disables the port&quot;}], &quot;explanation&quot;: &quot;Protect drops silently, restrict drops and logs while keeping the port up, and shutdown (the default) err-disables the port entirely.&quot;, &quot;validated&quot;: &quot;doc&quot;},\n    {&quot;type&quot;: &quot;multi&quot;, &quot;q&quot;: &quot;On which interfaces is port security appropriate? Select all that apply.&quot;, &quot;options&quot;: [&quot;An access port connected to a single workstation&quot;, &quot;A trunk uplink to another switch&quot;, &quot;An access port to an IP phone and PC with maximum 2&quot;, &quot;A routed port between two routers&quot;], &quot;answers&quot;: [0, 2], &quot;explanation&quot;: &quot;Port security belongs on access ports facing end devices. On a trunk or uplink many MAC addresses are normal and a violation would black-hole the link, and it does not apply to routed (Layer 3) ports at all.&quot;, &quot;validated&quot;: &quot;doc&quot;}\n  ]\n}\n\" data-quiz-count=\"10\"><div class=\"cfg-quiz-loading\">Loading quiz...<\/div><\/div>\n\n\n<p>Flip through the deck until sticky versus static, the default maximum, and err-disable recovery are automatic, or grab the Anki pack to review them anywhere:<\/p>\n\n<div class=\"cfg-fc\" data-fc=\"{\n  &quot;id&quot;: &quot;port-security&quot;,\n  &quot;title&quot;: &quot;Cisco Port Security Flashcards&quot;,\n  &quot;objective&quot;: &quot;Configure and verify port security (5.7)&quot;,\n  &quot;intro&quot;: &quot;The port security facts worth knowing cold: secure MAC types, the default maximum and violation mode, the three modes, the err-disabled state, recovery, and where the feature belongs. Tap a card to flip it, then mark whether you knew it.&quot;,\n  &quot;cards&quot;: [\n    {&quot;front&quot;: &quot;What does port security do?&quot;, &quot;back&quot;: &quot;It ties an access port to specific source MAC addresses and reacts when an unexpected MAC appears. A Layer 2 control that stops an unknown device from using a wall jack.&quot;},\n    {&quot;front&quot;: &quot;The three secure MAC types&quot;, &quot;back&quot;: &quot;Static (typed in, saved to config), dynamic (learned, kept in the address table only, lost on reload), and sticky (learned dynamically but written into the running-config).&quot;},\n    {&quot;front&quot;: &quot;What is sticky learning?&quot;, &quot;back&quot;: &quot;The switch learns a MAC from traffic and writes it into the running-config as a secure address (switchport port-security mac-address sticky H.H.H). Save the config and it persists across reloads.&quot;},\n    {&quot;front&quot;: &quot;Default maximum secure MACs per port&quot;, &quot;back&quot;: &quot;1. IOS does not print the maximum line in the running-config because it matches the default. Raise it (for example to 2) for a phone-plus-PC desk.&quot;},\n    {&quot;front&quot;: &quot;Default violation mode&quot;, &quot;back&quot;: &quot;shutdown. A violation err-disables the port, increments the counter, and sends a syslog message and SNMP trap.&quot;},\n    {&quot;front&quot;: &quot;Violation mode: protect&quot;, &quot;back&quot;: &quot;Drops traffic from unauthorized MACs silently. No syslog, no SNMP trap, the violation counter does not increment, and the port stays up. Rarely the right choice because it hides the event.&quot;},\n    {&quot;front&quot;: &quot;Violation mode: restrict&quot;, &quot;back&quot;: &quot;Drops the offending traffic but sends a syslog message and SNMP trap and increments the violation counter. The port stays up. Use it when downtime is costly but you still want the alert.&quot;},\n    {&quot;front&quot;: &quot;Violation mode: shutdown&quot;, &quot;back&quot;: &quot;The default. Err-disables the port (it stops forwarding all traffic), increments the counter, and logs the event. Safest stance: the attacker gains nothing.&quot;},\n    {&quot;front&quot;: &quot;What is the err-disabled state?&quot;, &quot;back&quot;: &quot;A port shut down by a protection feature, not by an administrator. show interface status shows err-disabled, and the port forwards nothing until it is recovered.&quot;},\n    {&quot;front&quot;: &quot;Recover an err-disabled port manually&quot;, &quot;back&quot;: &quot;Remove the cause (reconnect the authorized device or clear the offending one), then shutdown and no shutdown the interface.&quot;},\n    {&quot;front&quot;: &quot;Automatic err-disable recovery&quot;, &quot;back&quot;: &quot;errdisable recovery cause psecure-violation plus errdisable recovery interval &lt;seconds&gt;. The switch re-enables the port after the interval. Disabled by default for every cause.&quot;},\n    {&quot;front&quot;: &quot;Which command shows port security status?&quot;, &quot;back&quot;: &quot;show port-security interface &lt;id&gt; shows status, mode, maximum, and violation count. show port-security address lists the secure MACs. show port-security gives the per-port summary.&quot;},\n    {&quot;front&quot;: &quot;Where should port security NOT be enabled?&quot;, &quot;back&quot;: &quot;On trunks and uplinks to other switches, where many MAC addresses are normal. A violation there would black-hole the link. It also does not apply to routed (Layer 3) ports.&quot;},\n    {&quot;front&quot;: &quot;Prerequisite before enabling port security&quot;, &quot;back&quot;: &quot;The port must be a static access or trunk port (switchport mode access or trunk). It will not work on a port left in dynamic (auto) negotiation.&quot;},\n    {&quot;front&quot;: &quot;What port security does NOT stop&quot;, &quot;back&quot;: &quot;MAC spoofing (a cloned allowed MAC slides past), rogue DHCP servers, and ARP spoofing. Those need DHCP snooping and dynamic ARP inspection.&quot;},\n    {&quot;front&quot;: &quot;Reading a violated port&quot;, &quot;back&quot;: &quot;show port-security interface shows Port Status Secure-shutdown, a Security Violation Count above zero, and the Last Source Address, which is the MAC that tripped it.&quot;}\n  ]\n}\n\" data-fc-anki=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/ccna-port-security-flashcards.apkg\"><div class=\"cfg-fc-loading\">Loading flashcards...<\/div><\/div>\n\n\n<h2>What port security does not protect against<\/h2>\n\n<p>Port security is a strong first layer, but it is exactly that, one layer. It matches on source MAC, and a MAC address is easy to spoof, so a determined attacker who learns the allowed address can clone it and slide past. It also belongs only on access ports facing end devices. Never put it on a trunk or an uplink to another switch, where many MAC addresses are normal and a violation would black-hole the link.<\/p>\n\n<p>The Layer 2 attacks port security cannot see, a rogue DHCP server handing out a false gateway or an ARP spoofer poisoning the segment, are stopped by the next two features in the same toolkit: <a href=\"https:\/\/computingforgeeks.com\/cisco-dhcp-snooping-configuration\/\">DHCP snooping<\/a> and <a href=\"https:\/\/computingforgeeks.com\/cisco-dynamic-arp-inspection-configuration\/\">dynamic ARP inspection<\/a>. Together with the <a href=\"https:\/\/computingforgeeks.com\/cisco-access-control-lists-configuration\/\">access control lists<\/a> that filter at Layer 3 and the wider <a href=\"https:\/\/computingforgeeks.com\/network-security-concepts-explained\/\">network security concepts<\/a> behind them, they form the defense in depth a switched network needs. The <a href=\"https:\/\/computingforgeeks.com\/quickly-prepare-for-ccna-200-301-exam\/\">CCNA 200-301 study roadmap<\/a> lays out where each of these pieces fits.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A switch port with nothing plugged into it is still a live network jack. Anyone who can reach it, a visitor in a meeting room, a contractor at an empty desk, can connect a laptop or a small unmanaged switch and land directly on your LAN. Cisco port security is the Layer 2 control that &#8230; <a title=\"Cisco Port Security: Configure Sticky MACs and Violations\" class=\"read-more\" href=\"https:\/\/computingforgeeks.com\/cisco-port-security-configuration\/\" aria-label=\"Read more about Cisco Port Security: Configure Sticky MACs and Violations\">Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":169477,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[299,55],"tags":[524,525],"cfg_series":[39888],"class_list":["post-169476","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-how-to","category-networking","tag-ccna","tag-cisco","cfg_series-ccna-200-301"],"_links":{"self":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/169476","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/comments?post=169476"}],"version-history":[{"count":1,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/169476\/revisions"}],"predecessor-version":[{"id":169489,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/169476\/revisions\/169489"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media\/169477"}],"wp:attachment":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media?parent=169476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/categories?post=169476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/tags?post=169476"},{"taxonomy":"cfg_series","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/cfg_series?post=169476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}