01-10-2025 03:28 PM
Hello folks,
I have an issue with a Cisco 2960 port-security settings. I have enable port-security on the interface f0/3 with shut-down mode, and with a maximum of two MAC addresses. However, when I reach the maximum MAC limit, port-security does not shutdown the interface. Also the "Total MAC addresses" field is not incrementing when I switch to a different computer on the same f0/3 port. Any ideas?
Solved! Go to Solution.
01-10-2025 05:05 PM - edited 01-10-2025 05:32 PM
Port-security dont actually shutdown the interface, it put the interface in error-disable.
If you are disconnecting one PC and connecting another one this will not trigger the port-security protection. You need to connect all the mac address at the same time
You need to use another switch in order to test. The idea of port-security is pretect the interface in the event of multiples mac address connecting at the same time, not sequencially.
Or In order to trigger by testing sequentially, use the sticky Key word to fix one Mac address to the interface.
01-10-2025 05:05 PM - edited 01-10-2025 05:32 PM
Port-security dont actually shutdown the interface, it put the interface in error-disable.
If you are disconnecting one PC and connecting another one this will not trigger the port-security protection. You need to connect all the mac address at the same time
You need to use another switch in order to test. The idea of port-security is pretect the interface in the event of multiples mac address connecting at the same time, not sequencially.
Or In order to trigger by testing sequentially, use the sticky Key word to fix one Mac address to the interface.
01-10-2025 05:39 PM
Hello
change the port aging time to a specific time value and aging type to inactivity and test again - you should then see a violation
01-11-2025 01:46 AM
You do wrong'
Max with dynamic not work
You need to change mode from dynamic to sticky'
Connect connect more than one pc and you will see PO go to down with log message
MHM
01-11-2025 07:47 AM - edited 01-11-2025 07:48 AM
@MHM Cisco World wrote:
You do wrong'
Max with dynamic not work
You need to change mode from dynamic to sticky'
Connect connect more than one pc and you will see PO go to down with log message
MHM
@MHM Cisco World this is incorrect --in this instance it WILL work but as stated by @Flavio Miranda for a violation to be incurred the maximum mac address needs to be violated and for that to happen when aging type is set to absolute it will require in this instance 3+ devices to be seen on the same port at the same time.
However setting any aging time and inactivity type for a short period OR as you stated setting the mode to sticky will also incur violation , however the latter will always assign the hardware address to the port EVEN if the device associated with that mac that was dynamically OR statically learned is not present
Lasty you CAN have dynamically learned sticky mac-addressing.
01-11-2025 08:11 AM
Hello @MHM Cisco World
I am not saying your suggestion to use sticky mac addressing wont work I am saying your statement regards the the OP current port-security settings wont work, that is incorrect - it WILL work.
01-11-2025 08:01 AM
I am confuse I see now many edit to reply after I share answer for @GabrielART .!!!
@GabrielART use sticky and your lab will work fine.
MHM
01-11-2025 01:20 PM
Evening fellas,
Thank you all for your solutions. As Flavio mentioned, "sticky" MAC works. I have previously tested on another interface and it learns the MAC address dynamically, decrements the "Maximum MAC addresses" learned, and if two allowed, no violation will occur.
I find a bit confusing why you always have to put the "sticky" keyword in order to make it work. You would think that if you just enable port security and set the maximum allowed MAC addresses per interface, and connects and disconnects three PCs sequentially, it would trigger the violation mode. The switch would learn, keep a record of each MAC, and disable if the maximum number of allowed MACs has reached, but that is not the case.
So, after reading your solutions, I conclude two scenarios on how to use port-security, statically assign allowed MAC addresses per interface and set a maximum number of MACs allowed; or dynamically learn MAC addresses with the "sticky" suffix command, and set maximum allowed MACs per interface.
I have not messed with the aging time as Paul Driver has mentioned above. Will test later on to see if changes anything.
Thanks again for the support.
01-11-2025 01:30 PM
Your concluded is wrong again sorry'
Two cases
1- direct connect of PC to sw you need sticky with max
2- indirect connect of PC' like connect hub to SW port and connect three or more PC to hub ypu can use dynamic and max.<<- this so rare and not recommend at all. No one anymore use hub in his network.
MHM
01-11-2025 02:43 PM - edited 01-11-2025 02:48 PM
Hello
glad to hear you agree with @Flavio Miranda he was correct in his solution-
Just like to add caution when applying port-sec sticky - the switch will then keep any mac address it has learned (even after reload of the switch) as such if that device associated with that mac address is relocated to another port then a violation will be seen on the switch(s) in the form of a mac-move violation so you need to be aware of the sticky feature and its actions.
Edited - forgot to mention you DONT have to use port -sec sticky to make it work it’s an option yes but not the only way and surely not the recommended way.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide