Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2381
Views
0
Helpful
8
Replies

switchport port-security problem

Go to solution
Tiago Marques
Level 1
Level 1

‎04-27-2015 02:41 AM - edited ‎03-07-2019 11:44 PM

hello everyone,

I wanted to test using the switchport port-security with mac-address fixed for voip and sticky for the access vlan .
for this I created the following config:


switchport port-security maximum 2
switchport port-security
switchport port-security aging time 5
switchport port-security mac-address sticky
switchport port-security mac-address e8ba.7006.59a4 vlan voice


the problem is , the mac-address that switch learns to vlan access, never disappears even though the device is no longer connected.


switchport port-security maximum 2
switchport port-security
switchport port-security aging time 5
switchport port-security mac-address sticky
switchport port-security mac-address sticky c434.6b24.5db9 vlan access
switchport port-security mac-address e8ba.7006.59a4 vlan voice

 

 

can you help me?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Tiago Marques

‎04-27-2015 08:29 AM

This should clear them without having to use the no statement when the switchport learns a new mac again though its manual ,you will need to bounce the port as well

clear port-security sticky interface

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎04-27-2015 03:49 AM

•Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, we do not recommend it.

 

I think from the above once you bind the address to the port its there until you remove it

0 Helpful

Go to solution
Tiago Marques
Level 1
Level 1
In response to Mark Malone

‎04-27-2015 05:12 AM

ok, just a question:

The phone is always the same, but the device that connects to the access vlan can change, then how can I ensure security in this network point?

the "switchport port-security aging 5 time" should not delete the entry mac-address? ?

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Tiago Marques

‎04-27-2015 05:30 AM

If the device is changing dont specify the mac add after the sticky for access vlan

switchport port-security mac-address sticky (c434.6b24.5db9)

The switchport ageing port-security statement is for dynamically learned secure macs not for stickys

This doc may explain it better for you

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/layer2.html

0 Helpful

Go to solution
Tiago Marques
Level 1
Level 1
In response to Mark Malone

‎04-27-2015 06:04 AM

but i dont specify mac add  after the sticky for access vlan!
my initial config is:
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 5
switchport port-security mac-address sticky
switchport port-security mac-address e8ba.7006.59a4 vlan voice

 

when i connect device (computer) the config automatic change for:

switchport port-security maximum 2
switchport port-security
switchport port-security aging time 5
switchport port-security mac-address sticky
switchport port-security mac-address sticky c434.6b24.5db9 vlan access
switchport port-security mac-address e8ba.7006.59a4 vlan voice

 

the problem is , the mac-address that switch learns to vlan access, never disappears even though the device is no longer connected.

 

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Tiago Marques

‎04-27-2015 07:32 AM

You would have to use the no form and manually remove it as its sticky it does not remove itself  , if its only a couple of different devices that you are aware of connecting to the port just allow the macs and make sure your maximum is set with it like below ,l i dont think you can dynamically change sticky macs but you can have more than 1 per port if you have multiple devices

interface FastEthernet5/1
 switchport mode access
 switchport port-security
 switchport port-security maximum 5
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0000.0000.0001
 switchport port-security mac-address sticky 0000.0000.0002
 switchport port-security mac-address sticky 0000.0000.0003
 switchport port-security mac-address sticky 0000.0000.0004
 switchport port-security mac-address sticky 0000.0000.0005

 

0 Helpful

Go to solution
Tiago Marques
Level 1
Level 1
In response to Mark Malone

‎04-27-2015 08:16 AM

humm ok.

thnks ;)

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Tiago Marques

‎04-27-2015 08:29 AM

This should clear them without having to use the no statement when the switchport learns a new mac again though its manual ,you will need to bounce the port as well

clear port-security sticky interface

0 Helpful

Go to solution
Tiago Marques
Level 1
Level 1
In response to Mark Malone

‎04-27-2015 05:33 AM

ok, just a question:

The phone is always the same, but the device that connects to the access vlan can change, then how can I ensure security in this network point?

the "switchport port-security aging 5 time" should not delete the entry mac-address? ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card