Configure Port Security on Cisco SG Switches
- Last updated: Nov 11, 2024
In this guide, I’ll show how to configure port security on Cisco Small Business switches using the command-line interface (CLI).
Port security is a powerful feature that helps protect your network by restricting access to specific devices based on their MAC address. It allows you to control which devices are allowed to connect to each switch port.
- This feature allows you to:
- Block unauthorized devices from accessing the network
- Limit the number of devices per port (e.g. to prevent users from adding unmanaged switches or Wi-Fi access points)
- Apply MAC address filtering, either manually or automatically

Definitions
The different modes
- Lock (default): Secure mode without MAC learning. The static and secure MAC addresses may be added on the port manually by the
mac address-table static
command. - Max-addresses: Non-secure mode with limited learning dynamic MAC addresses. The static MAC addresses may be added on the port manually by the
mac address-table static
command. - Secure permanent: Secure mode with limited learning permanent secure MAC addresses with the permanent time-of-live. The static and secure MAC addresses may be added on the port manually by the
mac address-table static
command. - Secure delete-on-reset: Secure mode with limited learning secure MAC addresses with the delete-on-reset time-of-live. The static and secure MAC addresses may be added on the port manually by the
mac address-table static
command.
Action on Violation
- Discard (default): Discards packets with unlearned source addresses.
- Forward: Forwards packets with unlearned source addresses, but does not learn the address.
- Discard-Shutdown: Discards packets with unlearned source addresses and shuts down the port.
Adding static addresses
Addresses can be learned statically or dynamically. Static addresses are added with the mac address-table static
command.
- Parameters for the
mac address-table static
command:permanent
(default): MAC address is saved until it is removed manually.delete-on-reset
: MAC address is saved until the next reboot.delete-on-timeout
: MAC address that may be removed by the aging time.
- The following example adds a permanent static MAC address:
Switch(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi1 permanent
- The following example adds a deleted-on-reset static MAC address:
Switch(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi1 delete-on-reset
- The following example adds a deleted-on-timeout static MAC address:
Switch(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi1 delete-on-timeout
- The following example adds a secure MAC address:
Switch(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi1 secure
Enable Port Security
- Enable port security on interface
gi1/0/1
, with Discard-Shutdown and Lock mode. In this example, the port will bedisabled
if an address other than00:3f:bd:45:5a:b1
is connected to portgi1/0/1
:
Switch(config)# mac address-table static 00:3f:bd:45:5a:b1 vlan 1 interface gi1/0/1 permanent
Switch(config)# interface gi1/0/1
Switch(config-if)# port security mode lock
Switch(config-if)# port security discard-shutdown
Switch(config-if)# port security
Disable Port Security
- Disable port security on interface
gi1/0/1
:
Switch(config)# interface gi1/0/1
Switch(config-if)# no port security
Set maximum number of MAC addresses
We can define the maximum number of MAC addresses a port is allowed to communicate with. This can be useful if you don't want a user to connect a switch or a WiFi access point.
- Here, we give the option of connecting up to two MAC addresses to a physical interface. (Note: The two addresses will be learned dynamically):
Switch(config)# interface gi1/0/1
Switch(config-if)# port security mode max-addresses
Switch(config-if)# port security max 2
Switch(config-if)# port security discard
Switch(config-if)# port security
Secure permanent with limited learning addresses
- Here we manually add two mac addresses and enable the secure permanent and max mac addresses modes at the same time:
Switch(config)# mac address-table static 00:3f:bd:45:5a:b1 vlan 1 interface gi1/0/1 permanent
Switch(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi1/0/1 permanent
Switch(config)# interface gi1/0/1
Switch(config-if)# port security mode secure permanent
Switch(config-if)# port security max 5
Switch(config-if)# port security
Clear mac address-table
- Delete all dynamic (learned) addresses on the gi1/0/1 interface:
Switch# clear mac address-table dynamic interface gi1/0/1
- Delete all the secure addresses learned on the gi1/0/1 interface:
Switch# clear mac address-table secure interface gi1/0/1
Show Commands
- Display port security settings:
Switch# show ports security
- Detailed display of port security settings:
Switch# show ports security detailed
- Display port security interface settings:
Switch# show ports security GigabitEthernet1/0/20
- Display the entire MAC address table:
Switch# show mac address-table
- Display address table entries containing the specified MAC address:
Switch# show mac address-table 00:3f:bd:45:5a:b1
- Display the number of addresses in the Forwarding Database:
Switch# show mac address-table count
- Display the addresses present for a specific interface:
Switch# show mac address-table interface GigabitEthernet1/0/20