Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1073
Views
0
Helpful
3
Replies

Port Security Cisco 3550 & 4506

j.lipsett
Level 1
Level 1

‎10-17-2013 03:29 AM - edited ‎03-07-2019 04:04 PM

When I have to remove port security completly from a 3550 switch and re-apply security again to all ports, SOME ports that had the original mac address start being violated? even though the mac has not changed?

I have used the clear port security commad but this does not work.

I have cleared the mac-address table, this does not work.

The only way I can get the swich to accept the mac address in the ports is to reboot the switch.

Anyone experienced this behavour?????                  

Labels:
0 Helpful
3 Replies 3

Arumugam Muthaiah
Cisco Employee
Cisco Employee

‎10-17-2013 11:32 AM

Hi Lipsett,

The switch supports these types of secure MAC addresses:

  • Static secure MAC addresses - These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.

  • Dynamic secure MAC addresses - These are dynamically configured, stored only in the address table, and removed when the switch restarts.

  • Sticky secure MAC addresses - These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.

Refer:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swtrafc.html

You can use port security aging to set the aging time for static and dynamic secure addresses on a port.

Two types of aging are supported per port:

  1. Absolute - The secure addresses on the port are deleted after the specified aging time.
  2. Inactivity - The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.

Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses and to still limit the number of secure addresses on a port. You can enable or disable the aging of statically-configured secure addresses on a per-port basis

Regards,

Aru

*** Please rate if the post is useful ***

Regards, Aru *** Please rate if the post useful ***
0 Helpful

j.lipsett
Level 1
Level 1
In response to Arumugam Muthaiah

‎10-18-2013 12:29 AM

Aru

Thanks for your answer. but it does not resolve my issue. I use dynamic stick security

The confoguration I use is-

interface FastEthernet0/1

switchport access vlan @

switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

  spanning-tree portfast

When I remove security with -

Int ra fa 0/1 - 48

no switchport port-security

no switchport port-security mac sticky

Then re-apply the config, only some, not all ports lock out, why ??

Only a complete reboot solves the issue.

Regards

John

0 Helpful

Arumugam Muthaiah
Cisco Employee
Cisco Employee
In response to j.lipsett

‎10-18-2013 03:53 AM

Hi John,

"no switchport port-security" will return the interface to default condition as not a secure port

I hope when you dynamically configured, stored only in the address table, and it can be removed when the switch restarts.

Regards,

Aru

*** Please rate if the post is useful ***      

Regards, Aru *** Please rate if the post useful ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card