Quiz Entry - updated: 2026.07.14
What is port security, and what must be true about a port before you can enable it?
Port security limits the number of valid MAC (Media Access Control) addresses allowed on a switch port. The port must be manually configured as an access port or trunk — port security cannot be enabled on a dynamic (default) port.
What port security does:
- Limits the number of source MAC addresses that can be learned on a port
- When a frame arrives, the source MAC is compared against the list of allowed (secure) MACs
- If the MAC is not in the list and the maximum has been reached → violation occurs
Prerequisite — the port cannot be dynamic:
S1(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
S1(config-if)# switchport mode access ! Must set access mode first!
S1(config-if)# switchport port-security ! Now it works
Default port security settings after enabling:
| Setting | Default Value |
|---|---|
| Port Security | Disabled (must enable manually) |
| Maximum MAC addresses | 1 |
| Violation mode | Shutdown |
| Aging time | 0 minutes (never age out) |
| Sticky learning | Disabled |
Key insight: With defaults, enabling port security on a port means: only one MAC address is allowed, and if a second device connects, the port shuts down. This is already quite restrictive but effective.
Go deeper:
MAC flooding (Wikipedia) — the CAM-overflow attack port security exists to stop.
Switchport Port-Security (NetworkAcademy.IO) — concept-to-config overview tying learning and violation modes together.