Set port security and enable auto recovery after violation

Configure port security at desired interface

Switch(config)# interface GiX/0/x
Switch(config-if)# switchport access vlan xx
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security mac-address sticky xxxx.xxxx.xxxx
Switch(config-if)# switchport port-security violation Restrict
Switch(config-if)# spanning-tree portfast
speed 1000
duplex full
spanning-tree portfast
spanning-tree bpduguard enable

Enable auto recovery from port security violation (recover after 600 sec)

Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 600

Check for recovery behaviors

Switch# show errdisable recovery


Force auto recovery for all security violation

Switch(config)# errdisable recovery cause all

Check to see your new changes

Switch# show errdisable recovery

Sticky MAC address should not be present any where else

E.g. MAC ending with 1985 should only be present on this interface.
# Remove the sticky address when the host is moved to new port.
switchport port-security mac-address sticky 0020.022c.1985
switchport port-security mac-address sticky 3c18.a051.80be

Both hosts are unable to communicate with each other if both sticky MAC addresses are still around and one of the host is moved to another port on same VLAN.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top