Here are the steps to setup port security that will limit switch
port access to a finite number and a specific set of end device MAC addresses.
– 
Caveats to Port Security Configuration Steps
Step 1 Port
security is enabled on a port by port basis.
Step 2 By default,
only one MAC address is allowed access through a given switch port when port
security is enabled. This parameter increases that number. It implies no
restriction to specific MAC addresses, just the total number of addresses that
can be learned by the port. Learned addresses are not aged out by default but
can be configured to do so after a specified time. The value parameter can be
any number from 1 to 1024 with some restrictions having to do with the number
of ports on a given switch with port security enabled.
Step 3
Access to the switch port can be restricted to one or more specific MAC
addresses. If the number of specific MAC addresses assigned using this command
is lower than the value parameter set in step 2, then the remaining allowed
addresses can be learned dynamically. By specifying a set of MAC addresses, if
the number in that set is equal to the maximum allowed, access is limited to
only that set of MAC addresses.
Step 4 By default, if the maximum number of connections is achieved
and a new MAC address attempts to access the port, the switch must take an
action. Below are the actions the port may take:
- protect – frames from the non-allowed address are dropped but there is no
log of the violation.
 |
NOTE:
The protect argument is platform/version dependent.
|
- restrict – frames from the non-allowed address are dropped and a log
message is created.
- shutdown – if any frames are seen from a non-allowed address, the interface
is errdisabled, a log entry is made and manual intervention or errdisable
recovery must be used to make the interface usable.
Verifying Network Access Security
The show
port-security command can be used to verify the ports on which Port
Security has been enabled. It also displays count information and security
action to be taken per interface.
The full command syntax is as
follows:
Switch#show port-security [interface interface_id]
address
Arguments are provided to view port security status by interface or view the
addresses associated with port-security on all interfaces.
Example:
show port-security Command Output
Figure
displays output
from the show port-security command when you do not enter
an interface
Switch#show port-security
Example: show port-security Command for a
Specific Interface
Figure
displays output
from the show port-security command for a specified
interface:
Switch#show port-security interface
fastethernet 5/1
Use the address argument to display
MAC address table security information. The remaining age column will only be
populated if specifically configured for a given interface.

Example: Displaying MAC Address Table Security Information
Figure
displays output
from the show port-security address privileged EXEC
command:
Switch#show port-security address