Snags with sticky MACs

I recently inherited a network which uses port-security with sticky MACs. I’d not used this configuration in a long time and one limitation I was not aware of which caused me some trouble is that a MAC address can only be sticky on a single port per config, so if a device is moved from one port to another, and it’s not working, you will need to check that the MAC of the device isn’t sticky on another port.

“sh log” on the switch shows the error:

Switch port-security tshoot 1

Normally in this situation one would clear the gi2/0/45 sticky MAC, but in this case this will not work, as the MAC is already assigned to another port.

“sh port-security address” can be used to identify which port the MAC exists on

Switch port-security tshoot 2
This shows that the offending device has been moved from port gi2/0/44 (as it exists in the port-security config) to gi2/0/45.
We then can go ahead and clear the stored MAC for both gi2/0/44 and gi2/0/45 to allow these ports to be used once more. Don’t forget to shut and un-shut the ports after this!

Switch port-security tshoot 3
Switch port-security tshoot 4

Leave a Reply

Your email address will not be published. Required fields are marked *