04-27-2015 02:41 AM - edited 03-07-2019 11:44 PM
hello everyone,
I wanted to test using the switchport port-security with mac-address fixed for voip and sticky for the access vlan .
for this I created the following config:
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 5
switchport port-security mac-address sticky
switchport port-security mac-address e8ba.7006.59a4 vlan voice
the problem is , the mac-address that switch learns to vlan access, never disappears even though the device is no longer connected.
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 5
switchport port-security mac-address sticky
switchport port-security mac-address sticky c434.6b24.5db9 vlan access
switchport port-security mac-address e8ba.7006.59a4 vlan voice
can you help me?
Solved! Go to Solution.
04-27-2015 08:29 AM
This should clear them without having to use the no statement when the switchport learns a new mac again though its manual ,you will need to bounce the port as well
clear port-security sticky interface
04-27-2015 03:49 AM
•Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, we do not recommend it.
I think from the above once you bind the address to the port its there until you remove it
04-27-2015 05:12 AM
ok, just a question:
The phone is always the same, but the device that connects to the access vlan can change, then how can I ensure security in this network point?
the "switchport port-security aging 5 time" should not delete the entry mac-address? ?
04-27-2015 05:30 AM
If the device is changing dont specify the mac add after the sticky for access vlan
switchport port-security mac-address sticky (c434.6b24.5db9)
The switchport ageing port-security statement is for dynamically learned secure macs not for stickys
This doc may explain it better for you
04-27-2015 06:04 AM
but i dont specify mac add after the sticky for access vlan!
my initial config is:
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 5
switchport port-security mac-address sticky
switchport port-security mac-address e8ba.7006.59a4 vlan voice
when i connect device (computer) the config automatic change for:
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 5
switchport port-security mac-address sticky
switchport port-security mac-address sticky c434.6b24.5db9 vlan access
switchport port-security mac-address e8ba.7006.59a4 vlan voice
the problem is , the mac-address that switch learns to vlan access, never disappears even though the device is no longer connected.
04-27-2015 07:32 AM
You would have to use the no form and manually remove it as its sticky it does not remove itself , if its only a couple of different devices that you are aware of connecting to the port just allow the macs and make sure your maximum is set with it like below ,l i dont think you can dynamically change sticky macs but you can have more than 1 per port if you have multiple devices
interface FastEthernet5/1
switchport mode access
switchport port-security
switchport port-security maximum 5
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0000.0000.0001
switchport port-security mac-address sticky 0000.0000.0002
switchport port-security mac-address sticky 0000.0000.0003
switchport port-security mac-address sticky 0000.0000.0004
switchport port-security mac-address sticky 0000.0000.0005
04-27-2015 08:16 AM
humm ok.
thnks ;)
04-27-2015 08:29 AM
This should clear them without having to use the no statement when the switchport learns a new mac again though its manual ,you will need to bounce the port as well
clear port-security sticky interface
04-27-2015 05:33 AM
ok, just a question:
The phone is always the same, but the device that connects to the access vlan can change, then how can I ensure security in this network point?
the "switchport port-security aging 5 time" should not delete the entry mac-address? ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide