Solved: Re: Why are WiFi host MAC addresses being marked as STATIC?

Cadeyrn · ‎09-21-2021

Hi. While administrating a newly provisioned Catalyst 1000 switch, I needed to find the MAC address of a host on the WiFi VLAN 20. So I tried the following:

SW01#show mac address-table dynamic vlan 20
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

It seemed strange that there was no output because I was connected to this VLAN. I pulled out my phone to check that it was connected, too. Next I dropped the dynamic filter and was able to find the desired MAC address:

SW01#show mac address-table vlan 20
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    0100.0ccc.cccc    STATIC      CPU
 All    0100.0ccc.cccd    STATIC      CPU
 All    0180.c200.0000    STATIC      CPU
 All    0180.c200.0001    STATIC      CPU
 All    0180.c200.0002    STATIC      CPU
 All    0180.c200.0003    STATIC      CPU
 All    0180.c200.0004    STATIC      CPU
 All    0180.c200.0005    STATIC      CPU
 All    0180.c200.0006    STATIC      CPU
 All    0180.c200.0007    STATIC      CPU
 All    0180.c200.0008    STATIC      CPU
 All    0180.c200.0009    STATIC      CPU
 All    0180.c200.000a    STATIC      CPU
 All    0180.c200.000b    STATIC      CPU
 All    0180.c200.000c    STATIC      CPU
 All    0180.c200.000d    STATIC      CPU
 All    0180.c200.000e    STATIC      CPU
 All    0180.c200.000f    STATIC      CPU
 All    0180.c200.0010    STATIC      CPU
 All    ffff.ffff.ffff    STATIC      CPU
  20    1cb1.7fe4.7434    STATIC      Gi1/0/3
  20    7440.bb7f.d88f    STATIC      Gi1/0/3
  20    b072.bff3.0f04    STATIC      Gi1/0/3
  20    b89a.2aea.ecd7    STATIC      Gi1/0/3
  20    c8ff.7700.77ed    STATIC      Gi1/0/3
  20    d8c4.6a91.cfde    STATIC      Gi1/0/3
Total Mac Addresses for this criterion: 26

Oddly all of the MAC addresses off of Gi1/0/3 are STATIC. I have not manually defined these, so I would have expected DYNAMIC. (And indeed on my non-WIFI VLANs the host MAC addresses are marked as DYNAMIC.) Why are these MAC addressed being identified as STATIC? Is this the expected behavior?

Thank you.

Peter Paluch · ‎09-22-2021

Hello,

Ah, this explains it fully, then.

Even with dynamic secure MAC addresses, they are stored in the MAC address table as static. This is by design and this behavior is expected. The reason is that the dynamic secure MAC addresses do not expire the way the usual MAC addresses do, so from the viewpoint of the MAC address table management, they are static. Dynamic secure MAC addresses are forgotten

if the port goes down (such as getting disconnected or shut down),
or when you reload the switch,
or when you configure switchport port-security aging

So - no worries. What you observed is fully expected.

Best regards,
Peter

View solution in original post

Georg Pauwen · ‎09-21-2021

Hello,

odd indeed. Is that the same for wired clients ?

Cadeyrn · ‎09-22-2021

Hi Georg,

The wired clients in other VLANs all show dynamic MAC addresses.

But as Peter indicated, it is probably due to "port-security maximum 30" on this interface.

(No using sticky MAC learning though.)

I have not yet implemented this for the other interfaces.

Thanks.

Peter Paluch · ‎09-21-2021

Hello,

By any chance, did you activate port security on Gi1/0/3? All secure MAC addresses learned through port security (whether dynamic secure, static secure or sticky secure) will be marked as static in the MAC address table output unless you have also configured their aging.

If you haven't configured port security on Gi1/0/3, would you be so kind to share its configuration here? Maybe there is another feature there that causes the MAC addresses to be stored as static.

Best regards,
Peter

Cadeyrn · ‎09-22-2021

Hi Peter.

I do have port security enabled to limit the number of MAC addresses learned on the Gi1/0/3.

interface GigabitEthernet1/0/3
 description wifi access point
 switchport access vlan 20
 switchport mode access
 switchport port-security maximum 30
 switchport port-security violation restrict
 switchport port-security
end

Not an absolute maximum, but I want to know if / when it exceeds that number so that I can confirm if it appropriate and make appropriate changes.

I had avoided manual MAC entry and sticky MACs, so I thought that the switch would consider incoming MACs as dynamic. I am not a downtime window to shutdown the port and remove the maximum at this time but will test it at a later time.

I had not yet implemented it on other ports so only noticed it on this interface.

Thank you.

Peter Paluch · ‎09-22-2021

Hello,

Ah, this explains it fully, then.

Even with dynamic secure MAC addresses, they are stored in the MAC address table as static. This is by design and this behavior is expected. The reason is that the dynamic secure MAC addresses do not expire the way the usual MAC addresses do, so from the viewpoint of the MAC address table management, they are static. Dynamic secure MAC addresses are forgotten

if the port goes down (such as getting disconnected or shut down),
or when you reload the switch,
or when you configure switchport port-security aging

So - no worries. What you observed is fully expected.

Best regards,
Peter

Cadeyrn · ‎09-22-2021

Thank you Peter for the explanation.

Apparently my understanding was incomplete.

Much appreciated.

Peter Paluch · ‎09-22-2021

Hello,

You are very welcome. I knew about this "surprise" because I was caught off guard by it myself when I first discovered the behavior years ago. Then again, it makes sense. A dynamic secure MAC address is dynamic only to the Port Security mechanism itself, but to the MAC address table, it needs to behave as a static one that does not expire and does not move to another port because that's the whole point of a secure MAC.

Best regards,
Peter