cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2021
Views
10
Helpful
11
Replies
Beginner

can't remove port-security maximum

I'm removing port-security from our environment, and I have one port on two different switches that I cannot remove switchport port-security maximum.  Both likely have a phone with pc attached to it (standard deployment).

Everytime I try to remove it on those two ports i get:  Maximum is less than number of currently secured mac-addresses

switch(config)#int g1/0/7
switch(config-if)#no switchport port-security max
Maximum is less than number of currently secured mac-addresses.

switch#show port-security int g1/0/7
Port Security : Disabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : d478.56b6.f590:672
Security Violation Count : 1

All port-security has been dynamic, nothing static.  I've shut down the port and tried to remove it, i've tried clearing mac address, clearing port-security, defaulting the interface (which clears out everything except that line), pretty much everything short of rebooting the switch, which I'm guessing would resolve the issue.

Anyone seen this?

11 REPLIES 11
Enthusiast

Hi

Hi

If you remove the max you have configured of 3 MAC addresses it will use the default of 1.

And the 2 active you have is more than the default of 1:)

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-2_4_e/configurationguide/b_1524e_consolidated_2960p_2960c_cg/b_1524e_consolidated_2960p_2960c_cg_chapter_011100.html?bookSearch=true#ID529

When you enter a maximum secure address value for an interface, and the new value is greater than the previous value, the new value overwrites the previously configured value. If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value, the command is rejected.
  1. Shutdown the port
  2. remove port-security (no port-security)
  3. reconfigure port security
  4. no shutdown the port.

Beginner

I've done those steps, no

I've done those steps, no change.

And it didn't do that to the couple thousand other similar ports with a phone/pc (ie two macs) when I removed them.

I had this problem earlier this year and cannot remember what I did.  I think I punted then and rebooted the switch.

VIP Mentor

Hello,

Hello,

try:

switch(config-if)#no switchport port-security max 3

or

clear port-security all

Beginner

done those both;

done those both;

i've tried changing the max setting do different values, anything less than 2 barks at me obviously.  Tried changing the aging time.  Tried clearing every port-security setting combination, in conjunction with defaulting the interface.

VIP Mentor

Hello,

Hello,

what if you configure:

switch(config-if)#switchport port-security aging time 1

Then wait for 1 minute ?

Re: I've done those steps, no

I know this is not quite the same issue. It might be worth a try. I was removing port security in packet tracer and the violated port would not come back up. 2 hours later trying everything multiple times. The solution was to disconnect the PC and then shut / no shut the port. Port would then come back up.

Beginner

Re: can't remove port-security maximum

From your output snippet you already have 2 MAC addresses learned Total MAC Addresses : 2 ! you need to deleted the Offending MAC address

 


no switchport port-security mac-address sticky 0003.xxx.xxx
no switchport port-security maximum 2
switchport port-security maximum 1

 

and wr mem

Beginner

Re: can't remove port-security maximum

This trick works like a charm, but the problem is : 

S1#show port-security interface fastEthernet 0/1

Port Security : Disabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 2

Last Source Address:Vlan : 0001.6480.7627:1

Security Violation Count : 1

sticky mac-address is 2, not it should be 1 ?

 

Thanks 

I tried many posted tricks but your trick works fine, Kindly assist further.

VIP Advisor

Re: can't remove port-security maximum

Hello

Gave you tired just defaulting the interface

default interface fa0/1



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Beginner

Re: can't remove port-security maximum

Dear sir Paul!

this command is working in Cisco IOS 15+ versions. In Packet tracer this is not working and showing error unrecognised command. How I should solve this issue in PT.

VIP Advisor

Re: can't remove port-security maximum

Hello 

PT has a limited feature set function, so not surprised defaulting the interface doesn't work even though i thought it did.

It could be you may need to upgrade you PT software , Have you done that?



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards