6.7.2. Port Security
The Attack (MAC Flooding): Every switch has a limited MAC address table (CAM table). An attacker can flood the switch with thousands of fake MAC addresses, filling the table. When the table is full, the switch can't learn new addresses—and it falls back to flooding all unknown unicast traffic out every port. Your switch becomes a hub, and the attacker sees everyone's traffic.
Also a concern: Unauthorized devices. Someone plugs in a personal laptop, or a rogue access point, or a network tap. Port security lets you control what devices can connect to each port.
The Defense (Port Security): Port Security limits how many MAC addresses can be learned on a port, and what happens when that limit is exceeded.
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2 ! Allow 2 MACs (PC + phone)
Switch(config-if)# switchport port-security violation shutdown ! Shut port on violation
Switch(config-if)# switchport port-security mac-address sticky ! Learn and save MACs
Violation modes:
| Mode | Action | Counter | Use Case |
|---|---|---|---|
| protect | Drop violating traffic | No | Quiet blocking |
| restrict | Drop + log + increment counter | Yes | Monitor violations |
| shutdown | Err-disable the port | Yes | Maximum security |
Sticky MAC addresses: The switch learns the first MAC(s) it sees and saves them to the running config. You don't have to manually configure MACs—the switch "sticks" them automatically.
Verification:
Switch# show port-security interface GigabitEthernet0/1
Switch# show port-security address
Switch# show errdisable recovery ! Check auto-recovery settings
What happens when port security triggers: With shutdown mode, the port goes to err-disabled state. A user calls saying their network is down. To recover, you must shutdown then no shutdown the interface (or configure errdisable recovery).