Cisco Port Security

Use port security to manage the ingress of traffic from dynamically learned and static MAC address.  When a secure MAC address is assigned to a secure port, the port will not forward traffic from any other MAC address outside the defined MAC Address.

There is a security violation if one of these infractions occur
1) When access is attempted by a MAC addresses that is different from any of the identified secure MAC addresses, port security applies the configured violation action or mode.

2) If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, port security applies the configured violation action or mode. It is a move violation!

Possible actions are:

switchport port-security violation {protect | restrict | shutdown}

protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

restrict— the same, but causes the SecurityViolation counter to increment.

shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

To bring a secure port out of the error-disabled state, in global configuration mode
usage: errdisable recovery cause violation_mode command
or manually reenable it usage: shutdown and no shut down interface configuration commands

To prevent overtaxing the CPU, use the port security command with rate limiting

Methods of MAC address configuration

Static

How to statically configure all secure MAC addresses?

Use the switchport port-security mac-address mac_address interface configuration command.

Dynamic

Dynamiclly configure secure MAC addresses?

1) You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.

2) You can statically configure a number of addresses and allow the rest to be dynamically configured by sticky!

Sticky MAC addresses

These can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.

Remember to write memory (wr is the shortcut) or copy running-config startup-config command, then port security with sticky MAC addresses saves dynamically learned MAC addresses in the startup-config file.  Theport does not have to learn addresses from ingress traffic after bootup or a restart.