hi so u mean to say the only difference is that with sticky keyword when the switch restarts it need not learn the secure mac-address again right.

without the sticky command the switch will have to learn the mac-address dynamically everytime the switch restarts.

can we add sticky keyword for dynamically learned mac-address .

regards

sebastan

Hi Sebastan,

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning.

To enable sticky learning, enter the "switchport port-security mac-address sticky" interface configuration command.

When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.

All sticky secure MAC addresses are added to the running configuration.

The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.

HTH

Ankur

*Pls rate all helpfull post

Hi all

I have another questions related to the  subject, maybe one of you knows the answer:

I don't get  why we have two possibilities to add a MAC address to the  configuration:

switchport port-security mac-address  1234.5678.9012

- and/or -

switchport port-security  mac-address sticky 1234.5678.9012

Why would one want to  use the second command, if the first one does the job of entering the  address into the secure MAC table and the configuration?

A  theory for the second command: Is it possible that the switch only adds  the address to the table and eventually raises the counted addresses  (towards the maximum limit) if it is actually *seen* on the port? So as  long as that listed sticky address is not seen on the port, other  dynamic addresses may "use up" the max counter before the stated one  becomes active (and get's blocked in the process)?

(To make things more complicated: The acceptance of  the commands even varies between platforms: a 3560 w/ 12.2(50)SE4 allows  both commands, a Cat3550 w/ 12.2(46)SE6 only allows the first one an  the second w/out the last MAC argument)

Thanks for any  help!

Toni

Once the sticky addresses are saved to the startup config, then no one can just pull the power cord and connect a laptop to the switch during the boot process, because the switch will remember the previous mac address in the startup config and move to the laptop port into the err-disable state (for violation shutdown).  (Of course, unused ports should already be shutdown and moved to an unused VLAN).

I'm not sure why anyone would need or want to use the "switchport port-security mac-address sticky 1234.5678.9012" command...that command is not supported on my 4507's or 3750's...