Clearing Port-security sticky mac address on port

droidus · ‎01-11-2021

I am trying to clear a mac from a port. Here is what it looks like from the running config:

interface GigabitEthernet5/0/7
switchport mode access
switchport port-security mac-address sticky
switchport port-security

sh interfaces status err-disabled returns:

Gi5/0/7 err-disabled psecure-violation

If there is a violation, shouldn't there be a MAC address listed with the port in the running config? How do I resolve this so I can allow my client to connect?

Martin L · ‎01-11-2021

shut port and no shut does not help? it should. otherwise try shutdown port re-apply config ("security" commands), and bring port up

Regards, ML
**Please Rate All Helpful Responses **

Georg Pauwen · ‎01-11-2021

Hello,

I cannot reproduce the error. What exact commands are you entering ? How do you get to the err-disabled state ?

balaji.bandi · ‎01-11-2021

This may be the reason the MAC address table somewhere still exiting in the switch as per the information.

can you check what MAC address that is in the Logs find out what port associated with and try to clear table for that entry and check.

by default only the 1st MAC address will be register - so we need to know the below information.

is your intention to use only 1 MAC address per port?

can you post the below outputs :

show port-security interface gi 5/0/7

show log

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

droidus · ‎01-11-2021

doing a shut/no shut does not work. it simply gets shut down again.

output:

Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : <mac>
Security Violation Count : 12

*Jan 7 10:19:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet5/0/7, changed state to up
*Jan 7 10:19:19.665: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/0/7, changed state to up
*Jan 7 10:19:31.904: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi5/0/7, putting Gi5/0/7 in err-disable state
*Jan 7 10:19:31.912: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address <mac> on port GigabitEthernet5/0/7.
*Jan 7 10:19:32.911: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/0/7, changed state to down
*Jan 7 10:19:33.917: %LINK-3-UPDOWN: Interface GigabitEthernet5/0/7, changed state to down

balaji.bandi · ‎01-11-2021

as per the output you see MAC address " Last Source Address:Vlan : <mac>"

is the device you try to connect is the same MAC Address? if not it will be disabled again.

you need to flexible the security restrictions and tune the aging time and mac addresses.

before going further - what is the goal? you want to Lock 1 MAC address per port? then you need to connect all the time same MAC address device to port and you need to configure also recovery interval.

there is good document provide you step by step :

https://packetlife.net/blog/2010/may/3/port-security/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

droidus · ‎01-12-2021

Thank you for sharing this helpful documentation. I overlooked your response with all of the other responses - I apologize.

Yes, only one MAC address should be assigned.

I do not want to configure aging - I want it to be permanent. Also, I don't understand how recovery will fix this, if manually taking it out of err-disable mode, only results in it going back into that state.

When you say I need to "clear"; clear what?

balaji.bandi · ‎01-12-2021

i follow below steps :

1. shutdown the port and remove the config

config t

!

interface GigabitEthernet5/0/7 or default interface GigabitEthernet5/0/7

shutdown

no switchport port-security mac-address sticky
no switchport port-security

!

end

#clear mac address-table dynamic xxx.xxxx.xxxx ( what ever the MAC address showing in the output of Last Source Address:Vlan : <mac>

check the MAC address still in the table yes or no, if still there investigate which port it learning from and clear it.

Once that MAC address removed.

Follow the below config :

interface GigabitEthernet5/0/7
 switchport access vlan XX  <<-- make sure port belong to VLAN - if not VLAN 1)
 switchport mode access
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky xxxx.xxxx.xxxx (device mac what you looking to connect)
 spanning-tree portfast
end

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

droidus · ‎01-12-2021

I did a show mac address-table, and did not see the mac address in there.

I get to "switchport port-security mac-address sticky <my-mac>", and it returns:

"Found duplicate mac-address <my-mac>"

I do a "show mac address-table", and do not see that mac address in there.

balaji.bandi · ‎01-12-2021

i would expect to read the syntax, (not to paste as mentioned given example :

switchport port-security mac-address sticky <my-mac> (MAC Address to be here)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

droidus · ‎01-12-2021

I did read it. And I did substitute my mac address in there.

balaji.bandi · ‎01-12-2021

have you followed the below steps : please tick and tell us or show log what was the out come

1. shutdown the port and remove the config

config t

!

interface GigabitEthernet5/0/7 or default interface GigabitEthernet5/0/7

shutdown

no switchport port-security mac-address sticky
no switchport port-security

!

end

#clear mac address-table dynamic xxx.xxxx.xxxx ( what ever the MAC address showing in the output of Last Source Address:Vlan : <mac>

check the MAC address still in the table yes or no, if still there investigate which port it learning from and clear it.

Once that MAC address removed.

Follow the below config :

interface GigabitEthernet5/0/7
 switchport access vlan XX  <<-- make sure port belong to VLAN - if not VLAN 1)
 switchport mode access
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky xxxx.xxxx.xxxx (device mac what you looking to connect)
 spanning-tree portfast
end

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

droidus · ‎01-12-2021

*Jan  8 02:06:40.511: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:no switchport port-security mac-address sticky 
*Jan  8 02:06:44.537: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:no switchport port-security 
*Jan  8 02:06:47.842: %SYS-5-CONFIG_I: Configured from console by cisco on vty5 (192.168.2.79)
*Jan  8 02:08:11.393: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:interface GigabitEthernet5/0/7 
*Jan  8 02:08:14.597: %SYS-5-CONFIG_I: Configured from console by cisco on vty5 (192.168.2.79)
*Jan  8 02:11:06.748: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:interface GigabitEthernet5/0/7 
*Jan  8 02:11:16.227: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:switchport access vlan 1
*Jan  8 02:11:21.294: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:switchport mode access 
*Jan  8 02:11:24.540: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:switchport port-security 
*Jan  8 02:11:30.354: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:switchport port-security violation restrict 
*Jan  8 02:11:37.098: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:switchport port-security mac-address sticky 
*Jan  8 02:11:55.192: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:switchport port-security mac-address sticky <mac>
*Jan  8 02:12:04.831: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:spanning-tree portfast 
*Jan  8 02:14:38.175: %SYS-5-CONFIG_I: Configured from console by cisco on vty5 (192.168.2.79)
*Jan  8 03:18:54.216: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:!exec: enable
*Jan  8 03:38:12.238: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:!exec: enable
*Jan  8 03:38:42.555: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:interface GigabitEthernet5/0/7 
*Jan  8 03:38:45.164: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:shutdown 
*Jan  8 03:38:52.982: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:no switchport port-security mac-address sticky 
*Jan  8 03:38:56.195: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:no switchport port-security 
*Jan  8 03:38:58.493: %SYS-5-CONFIG_I: Configured from console by cisco on vty5 (192.168.2.79)
*Jan  8 03:40:21.448: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:interface GigabitEthernet5/0/7 
*Jan  8 03:40:27.723: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:switchport access vlan 1
*Jan  8 03:40:32.580: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:switchport mode access 
*Jan  8 03:40:34.660: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:switchport port-security 
*Jan  8 03:40:38.771: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:switchport port-security violation restrict 
*Jan  8 03:40:43.049: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:switchport port-security violation restrict 
*Jan  8 03:40:51.060: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:switchport port-security mac-address sticky 
*Jan  8 03:41:13.432: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:switchport port-security mac-address sticky <mac>
*Jan  8 03:41:20.336: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:spanning-tree portfast 
*Jan  8 03:41:21.502: %SYS-5-CONFIG_I: Configured from console by cisco on vty5 (192.168.2.79)
*Jan  8 03:41:53.664: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:interface GigabitEthernet5/0/7 
*Jan  8 03:41:56.332: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:shutdown 
*Jan  8 03:41:57.598: %PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:no shutdown 
*Jan  8 03:41:59.033: %SYS-5-CONFIG_I: Configured from console by cisco on vty5 (192.168.2.79)
*Jan  8 03:41:59.570: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address <mac> on port GigabitEthernet5/0/7.
*Jan  8 03:41:59.595: %LINK-3-UPDOWN: Interface GigabitEthernet5/0/7, changed state to up
*Jan  8 03:42:00.602: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/0/7, changed state to up

balaji.bandi · ‎01-12-2021

have you default the interface to factory connect the same device and see if the port working or not before we enable security to port.

config t

!

default interface GigabitEthernet5/0/7

no shut

E

end

connect the device and test.

Another clarification are you removing MAC Addres from the Log provided ? we do not need all the MAC content but goot to have last 4 digists to disclouse so we can understand the issue correctly.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

droidus · ‎01-12-2021

yes, it works.