Re: can't remove port-security maximum

brian.kennedy · ‎12-23-2016

I'm removing port-security from our environment, and I have one port on two different switches that I cannot remove switchport port-security maximum. Both likely have a phone with pc attached to it (standard deployment).

Everytime I try to remove it on those two ports i get: Maximum is less than number of currently secured mac-addresses

switch(config)#int g1/0/7
switch(config-if)#no switchport port-security max
Maximum is less than number of currently secured mac-addresses.

switch#show port-security int g1/0/7
Port Security : Disabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : d478.56b6.f590:672
Security Violation Count : 1

All port-security has been dynamic, nothing static. I've shut down the port and tried to remove it, i've tried clearing mac address, clearing port-security, defaulting the interface (which clears out everything except that line), pretty much everything short of rebooting the switch, which I'm guessing would resolve the issue.

Anyone seen this?

rasmus.elmholt · ‎12-23-2016

Hi

If you remove the max you have configured of 3 MAC addresses it will use the default of 1.

And the 2 active you have is more than the default of 1:)

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-2_4_e/configurationguide/b_1524e_consolidated_2960p_2960c_cg/b_1524e_consolidated_2960p_2960c_cg_chapter_011100.html?bookSearch=true#ID529

When you enter a maximum secure address value for an interface, and the new value is greater than the previous value, the new value overwrites the previously configured value. If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value, the command is rejected.

Shutdown the port
remove port-security (no port-security)
reconfigure port security
no shutdown the port.

brian.kennedy · ‎12-23-2016

I've done those steps, no change.

And it didn't do that to the couple thousand other similar ports with a phone/pc (ie two macs) when I removed them.

I had this problem earlier this year and cannot remember what I did. I think I punted then and rebooted the switch.

Georg Pauwen · ‎12-23-2016

Hello,

try:

switch(config-if)#no switchport port-security max 3

or

clear port-security all

brian.kennedy · ‎12-23-2016

done those both;

i've tried changing the max setting do different values, anything less than 2 barks at me obviously. Tried changing the aging time. Tried clearing every port-security setting combination, in conjunction with defaulting the interface.

Georg Pauwen · ‎12-23-2016

Hello,

what if you configure:

switch(config-if)#switchport port-security aging time 1

Then wait for 1 minute ?

franklinbrown749628471 · ‎10-09-2019

I know this is not quite the same issue. It might be worth a try. I was removing port security in packet tracer and the violated port would not come back up. 2 hours later trying everything multiple times. The solution was to disconnect the PC and then shut / no shut the port. Port would then come back up.

spookfish1 · ‎04-24-2018

From your output snippet you already have 2 MAC addresses learned Total MAC Addresses : 2 ! you need to deleted the Offending MAC address

no switchport port-security mac-address sticky 0003.xxx.xxx
no switchport port-security maximum 2
switchport port-security maximum 1

and wr mem

jawad.hussain · ‎08-03-2019

This trick works like a charm, but the problem is :

S1#show port-security interface fastEthernet 0/1

Port Security : Disabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 2

Last Source Address:Vlan : 0001.6480.7627:1

Security Violation Count : 1

sticky mac-address is 2, not it should be 1 ?

Thanks

I tried many posted tricks but your trick works fine, Kindly assist further.

paul driver · ‎08-03-2019

Hello

Gave you tired just defaulting the interface

default interface fa0/1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jawad.hussain · ‎08-03-2019

Dear sir Paul!

this command is working in Cisco IOS 15+ versions. In Packet tracer this is not working and showing error unrecognised command. How I should solve this issue in PT.

paul driver · ‎08-03-2019

Hello

PT has a limited feature set function, so not surprised defaulting the interface doesn't work even though i thought it did.

It could be you may need to upgrade you PT software , Have you done that?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul