Port Security & Switch Hardening

 

• Access vs trunk considerations

• What happens during violations (and WHY)

• How to read show port-security and show port-security interface

• The difference between sticky + static + dynamic secure MACs

And, as always:

FULL THEORY FIRST — NO DRILLS YET.

---

⭐ MODULE 8 — FULL THEORY (Deep Dive)

---

SECTION 1 — PORT SECURITY BASICS

Port Security is a Layer 2 protection mechanism applied to access ports to control which MAC addresses are allowed.

It prevents:

• CAM table overflow attacks

• Rogue devices plugging into user ports

• MAC spoofing

• Unauthorized switches or hubs

---

SECTION 2 — WHAT PORT SECURITY ACTUALLY DOES

When enabled, the port:

• Learns or stores a list of secure MAC addresses

• Enforces a maximum number

• Places the interface into a violation mode if rules are broken

• Can optionally shut the port down

Secure MACs can be:

✔ Static Secure MACs

Manually configured
Persist across reloads
Example:

switchport port-security mac-address 0011.2233.4455

✔ Dynamic Secure MACs

Learned automatically
Stored in CAM table
NOT saved in running config

✔ Sticky Secure MACs

Learned dynamically BUT written to the running config
Persistent if saved
Example:

switchport port-security mac-address sticky

---

SECTION 3 — PORT SECURITY VIOLATION MODES

These are tested a LOT on the CCNA.

✔ 1. protect

• Drops violating frames

• No log message

• No counter increment (Cisco sometimes increments, sometimes not)

• Traffic silently discarded

Lowest level of security.

✔ 2. restrict

• Drops violating frames

• Sends a syslog message

• Counters increment

• Port stays up

Moderate security.

✔ 3. shutdown (default)

• Interface goes into err-disabled state

• Must be manually re-enabled (shutdown then no shutdown)
  or globally via:

errdisable recovery cause psecure-violation

Highest level of security.

---

SECTION 4 — PORT SECURITY AGING

Command:

switchport port-security aging time <minutes>
switchport port-security aging type {absolute | inactivity}

Aging types:

✔ absolute
MAC removed after timer expires no matter what

✔ inactivity
MAC removed after inactive for the timer interval

Exam pitfall:

Most enterprise environments use inactivity.

---

SECTION 5 — COMMON EXAM DEFAULTS

You MUST know these:

• Port security disabled by default

• Violation mode = shutdown by default

• Maximum MAC addresses = 1 by default

• show port-security interface shows active violation mode

• Port security applies only to access ports (unless trunk restricted)

---

SECTION 6 — CONFIGURATION BASICS (THEORY ONLY)

Typical config:

switchport mode access
switchport access vlan 10
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation restrict

Each line has a purpose:

• port-security → turns on feature

• maximum 2 → max MACs

• sticky → learn MACs dynamically

• violation restrict → drops + logs violations

---

SECTION 7 — SHOW COMMANDS — WHAT THEY REVEAL

✔ show port-security

Global status:

• Number of secure ports

• Ageing status

• Violations

• Secure static/sticky/dynamic MACs

✔ show port-security interface f0/1

Shows:

• Port status (secure-up or secure-shutdown)

• Violation mode

• Maximum MACs

• Current secure MACs

• Violation count

✔ show mac address-table secure

Shows secure MACs only
(Sticky, static, dynamic secure)

---

SECTION 8 — PORT SECURITY + OTHER FEATURES

✔ BPDU Guard

Shuts a PortFast port if it receives a BPDU.

✔ Root Guard

Prevents upstream devices from becoming root.

✔ Loop Guard

Stops unidirectional link loops.

✔ DHCP Snooping + Port Security

Port security protects against MAC spoofing.
DHCP Snooping protects against rogue DHCP servers.

✔ IP Source Guard (IPSG)

Relies on DHCP Snooping + port security to enforce IP/MAC binding.

✔ Dynamic ARP Inspection (DAI)

Depends on DHCP Snooping trust boundaries.
Prevent ARP spoofing.

Together these form Cisco’s Layer 2 Security Stack.

---

SECTION 9 — PORT SECURITY VIOLATION FLOW (How It Works)

1. Host sends a frame

2. Switch checks MAC vs secure list

3. If MAC count exceeds MAX → violation

4. Based on mode:

   • protect → silently drop

   • restrict → log + drop

   • shutdown → err-disable

---

SECTION 10 — EXAM PITFALLS

❗ Port security only applies to access ports (unless specifically allowed on trunks).

❗ Default violation mode = shutdown.

❗ Sticky MACs are written to running config, not NVRAM — must save.

❗ If maximum = 1, and a second device plugs in → violation.

❗ “Secure-shutdown” means err-disabled due to port security.

❗ DTP + port-security rarely mix; best practice is disable DTP on port-secured interfaces.

❗ BPDU Guard + PortFast = mandatory pairing in enterprise.

❗ Native VLAN mismatch or trunk port misconfig on a port-security port = immediate err-disabled.

---

SECTION 11 — REAL-WORLD USE CASES

✔ Office desk ports

• Max 1

• Sticky

• Restrict or Shutdown

✔ IP Phones + PCs (daisy chain)

• Max 2

• Sticky

• Protect or Restrict depending on environment

✔ Printer ports

• Max 1

• STATIC MAC

• Zero tolerance

• Shutdown mode

✔ Unused ports

• Administratively down

• Port security + BPDU Guard + Disabled DTP