Configuring port MAC security

Port MAC security can be configured globally or on a specific interface.

By default, the MAC port security feature is disabled on all interfaces.

  1. Enter global configuration mode.
    device# configure terminal
  2. Enter port security configuration mode.
    device(config)# port security
  3. Enable port MAC security globally on the device.
    device(config-port-security)# enable
  4. Set the maximum number of secure MAC addresses.
    device(config-port-security)# maximum 10
    By default, when MAC port security is enabled, an interface can store one secure MAC address. A maximum of 64 local resources can be allocated to each interface.
  5. (Optional) From the global configuration mode, configure the maximum number of global resources shared among all interfaces on the device to store secure MAC addresses.
    device(config)# system-max pms-global-pool 800
    By default, 8192 global resources are shared among all interfaces on the device which is also the maximum global resources supported. The global resources are in addition to the local resources allocated to each interface . The maximum number of MAC addresses any single interface can secure is 64 (the maximum number of local resources allocated to the interface), plus the number of global resources available.
  6. Specify a secure MAC address.
    device(config-port-security)# secure-mac-address 000.0018.747c
  7. Set the optional port security age timer. By default, learned MAC addresses stay secure indefinitely.
    device(config-port-security)# age 60 absolute
    In this example, secure MAC addresses are immediately timed out after 60 minutes. If the absolute option is not configured, the secure MAC addresses time out when the hardware MAC age timer expires.
  8. Set the optional time interval when learned secure MAC addresses are saved to the startup configuration.
    device(config-port-security)# autosave 20
    In this example, learned secure MAC addresses are saved to the startup configuration every 20 minutes.
  9. Configure the action that must be taken when a port security violation occurs. Select one of the following configurable modes that specifies the violation action.
    • Configure the protect mode to drop all packets which are not from secure MAC addresses.
      device(config-port-security)# violation protect

      This is the default PMS violation action. In the protect mode, the port never gets shut down.

    • Configure the restrict mode to drop packets from violated MAC address and allow packets from secure addresses.
      device(config-port-security)# violation restrict

      When the restrict option is used, maximum number of MAC addresses that can be restricted is 128. If the number of violated MAC addresses exceeds 128, the port will be shut down. In this mode, manual intervention is required to bring up the port that is forced to shut down after the security violation. Aging for restricted MAC addresses is done in software. There can be a worst case inaccuracy of one minute from the specified time. The restricted MAC addresses are denied in hardware.

    • Configure the shutdown mode to disable the port upon detection of first violated MAC address. for a specified amount of time, in minutes, when a security violation occurs.
      device(config-port-security)# violation shutdown

      The shutdown time which serves as a recovery interval, brings up the port within a configured time without any manual intervention. The default is value is 0 which shuts down the port permanently when a security violation occurs.

In the following example, port MAC security is configured globally.


device# configure terminal
device(config)# port security
device(config-port-security)# enable
device(config-port-security)# maximum 10
device(config-port-security)# secure-mac-address 000.0018.747c
device(config-port-security)# age 60 absolute
device(config-port-security)# autosave 20
device(config-port-security)# violation restrict 100