An attempt at securing the physical ports on cisco switches by denying access based on the MAC address of the connected device. Each port has it's own collection of acceptable MAC addresses with which to permit traffic that can be automatically or manually specified as well as the action taken upon violation of the switchport sec configuration.

• Shutdown (DEFAULT)
  • Port shuts down immediately. When in error-disabled-state you can ressurect the port with errdisable recovery cause psecure-violation (global config) OR manually toggle up status on the interface with shutdown, no shutdown (int config).
• Restrict
  • Causes SecurityViolation counter to increment, and generates an SNMP notification. Rate of SNMP traps are created can be altered by snmp-server enable traps port-security trap-rate command. Default val is 0, causing SNMP trap to generate on every violation.
• Protect
  • No SNMP, No counter increase. Simply block violating traffic as it occurs.

Switchport security cannot be enabled on dynamic port types.

• Int FA01
• swport mode access
• enable port sec
• port sec max address to store is 1
• mac-addres stick, auto learn the next mac address on this port.
• violation mode set to shutdown.
• Show command to verify configuration on fa0/1.

Switch(config)#interface fastEthernet 0/1
Switch(config-if)#switchport mode access 
Switch(config-if)#switchport port-security 
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address sticky 
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#do show port int fa0/1

• With switchport port-security enabled, the incoming frames (that aren't dropped) will be recorded as STATIC in the MAC table.