Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
9
Replies

Port-Security Not Working Properly

Go to solution
GabrielART
Level 1
Level 1

‎01-10-2025 03:28 PM

Hello folks, 

I have an issue with a Cisco 2960 port-security settings. I have enable port-security on the interface f0/3 with shut-down mode, and with a maximum of two MAC addresses. However, when I reach the maximum MAC limit, port-security does not shutdown the interface. Also the "Total MAC addresses" field is not incrementing when I switch to a different computer on the same f0/3 port. Any ideas? 

GabrielART_0-1736550925911.png

GabrielART_1-1736550971241.png

GabrielART_2-1736551158109.png

GabrielART_4-1736551207128.png

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎01-10-2025 05:05 PM - edited ‎01-10-2025 05:32 PM

@GabrielART 

 Port-security dont actually shutdown the interface, it put the interface in error-disable.

If you are disconnecting one PC and connecting another one this will not trigger the port-security protection. You need to connect all the mac address at the same time

You need to use another switch in order to test. The idea of port-security is pretect the interface in the event of multiples mac address connecting at the same time, not sequencially.

Or  In order to trigger by testing  sequentially, use the sticky Key word to fix one Mac address to the interface. 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Flavio Miranda
VIP
VIP

‎01-10-2025 05:05 PM - edited ‎01-10-2025 05:32 PM

@GabrielART 

 Port-security dont actually shutdown the interface, it put the interface in error-disable.

If you are disconnecting one PC and connecting another one this will not trigger the port-security protection. You need to connect all the mac address at the same time

You need to use another switch in order to test. The idea of port-security is pretect the interface in the event of multiples mac address connecting at the same time, not sequencially.

Or  In order to trigger by testing  sequentially, use the sticky Key word to fix one Mac address to the interface. 

0 Helpful

Go to solution
paul driver
VIP
VIP

‎01-10-2025 05:39 PM

Hello
change the port aging time to a specific time value and aging type to inactivity and test again - you should then see a violation 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-11-2025 01:46 AM

You do wrong' 

Max with dynamic not work

You need to change mode from dynamic to sticky' 

Connect connect more than one pc and you will see PO go to down with log message

MHM

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to MHM Cisco World

‎01-11-2025 07:47 AM - edited ‎01-11-2025 07:48 AM

@MHM Cisco World wrote:

You do wrong' 

Max with dynamic not work

You need to change mode from dynamic to sticky' 

Connect connect more than one pc and you will see PO go to down with log message

MHM

@MHM Cisco World  this is incorrect --in this instance it WILL work but as stated by @Flavio Miranda  for a violation to be incurred the maximum mac address needs to be violated and for that to happen when aging type is set to absolute it will require in this instance 3+ devices to be seen on the same port at the same time.

However setting any aging time and inactivity type for a short period OR as you stated setting the mode to sticky will also incur violation , however the latter will always assign the hardware address to the port EVEN if the device associated with that mac that was dynamically OR statically learned is not present

Lasty you CAN have dynamically learned sticky mac-addressing.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to MHM Cisco World

‎01-11-2025 08:11 AM

Hello @MHM Cisco World  
I am not saying your suggestion to use sticky mac addressing wont work I am saying your statement regards the the OP current port-security settings wont work, that is incorrect - it WILL work.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-11-2025 08:01 AM

I am confuse I see now many edit to reply after I share answer for @GabrielART .!!!

@GabrielART use sticky and your lab will work fine.

MHM

0 Helpful

Go to solution
GabrielART
Level 1
Level 1

‎01-11-2025 01:20 PM

Evening fellas, 

Thank you all for your solutions. As Flavio mentioned, "sticky" MAC works. I have previously tested on another interface and it learns the MAC address dynamically, decrements the "Maximum MAC addresses" learned, and if two allowed, no violation will occur. 

I find a bit confusing why you always have to put the "sticky" keyword in order to make it work. You would think that if you just enable port security and set the maximum allowed MAC addresses per interface, and connects and disconnects three PCs sequentially, it would trigger the violation mode. The switch would learn, keep a record of each MAC, and disable if the maximum number of allowed MACs has reached, but that is not the case. 

So, after reading your solutions, I conclude two scenarios on how to use port-security, statically assign allowed MAC addresses per interface and set a maximum number of MACs allowed; or dynamically learn MAC addresses with the "sticky" suffix command, and set maximum allowed MACs per interface. 

I have not messed with the aging time as Paul Driver has mentioned above. Will test later on to see if changes anything. 

Thanks again for the support. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to GabrielART

‎01-11-2025 01:30 PM

Your concluded is wrong again sorry'

Two cases 

1- direct connect of PC to sw you need sticky with max 

2- indirect connect of PC' like connect hub to SW port and connect three or more PC to hub ypu can use dynamic and max.<<- this so rare and not recommend at all. No one anymore use hub in his network.

MHM

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to GabrielART

‎01-11-2025 02:43 PM - edited ‎01-11-2025 02:48 PM

Hello
glad to hear you agree with @Flavio Miranda  he was correct in his solution-

Just like to add caution when applying port-sec sticky - the switch will then keep any mac address it has learned (even after reload of the switch) as such if that device associated with that mac address is relocated to another port then a violation will be seen on the switch(s)  in the form of a mac-move violation  so you need to be aware of the sticky feature and its actions.

Edited - forgot to mention you DONT have to use port -sec sticky to make it work it’s an option yes but not the only way and surely not the recommended way.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card