Port security can be used to restrict devices communicating through the interface by limiting the MAC address on the interface. When you assign a SECURE MAC address to the port, the device does not forward/process frames that fall outside the group of secure mac addresses, resulting in dedicated bandwidth for the devices which are allowed to communicate through the port.

Port security guidelines and restrictions

• Port security supports private vlans (PVLAN)
• Port security supports dot1q tunnels
• Port security does not support EtherChannel
• Port security does not support port analyzer (SPAN)
• Port security supports trunk ports only with following configuration –
  switchport trunk encapsulation
  switchport mode trunk
  switchport nonegotiate

Secure MAC address can be configured in the following ways :

• Configure all MAC address using the switchport port-security mac-address mac_address command.
• Allow the port to dynamically learn the MAC address of the connected devices.
• Configure few specific MAC addresses and allow the port to dynamically learn rest
• Configure sticky MAC address which are stored in the address-table, and added to the configuration file. If the switches needs to be restarted, the interface does not need to re-learn the MAC addresses as they are already in the configuration file.

Security Violation :
A security violation occurs when a device who is not part of secure mac address tries to communicate through the secure port.

• If violation is occurs, switch sends a snmp trap
• Violation mode action configured is executed

Violation Actions :

• Shutdown – (default) Switch will shutdown the interface (err-disabled) and no frames are forwarded thereafter.
• Protect – Switch allows only secure frames and blocks violating frames
• Restrict – Switch restricts the data, sends a snmp trap and increases the SecurityViolation counter

To enable port security on a trunk, perform this task:

Reference : Cisco-port-security-docs