Q: How do I configure port-security on my switches?

A:

For each non-trunking, non-grouped switchport:

(config-if)#sw port-sec               // enables port-security
(config-if)#sw port-sec max 1         // max number of macs on that port
(config-if)#sw port-sec viol restrict // drop excess macs, and log
(config-if)#sw port-sec mac-addr {mac} // config the mac to allow

With a lot of macs, you'd have one sw port-sec mac-addr {mac} for each one, then also have to configure the max number of macs on that interface to exactly match the count. To check your results:

#show port-sec          // table of secure ports, with current macs and violations
#show port-sec int f0/4 // shows details on one interface
#show port-sec address  // shows table of all secure mac addresses