Port-security on switch

I read all the cisco doc I could find, but I'm not getting a real answer about this (and let this be one of the few things I'm not able to test live)

After enabling port-security, as I understand, the MAC table can be filled on three ways:

- By adding them manually using the 'port-security mac-addres' command (secure static)
- Let the router learn them itself, adding them to the table, forgetting them after a reboot, even if you did a copy run start (secure dynamic)
- Let the router learn them itself, by adding them to the table AND adding them to the run conf so if you would copy run start, they would be there after reload (secure sticky)

There seems to be a fourth way; using sticky AND giving a MAC address. I dont't see why this is usefull, but it probably has something to do with the way the switch acts if you 'disable' sticky learning (since they are added with 'sticky' they still fall under the 'secure sticky' category)

Question1: there are some things going on when you disable sticky learning (after it has learned some MAC's). As I understand from the cisco docs, the commands the switch added to the run conf are still there, but the MAC's are removed from the mac table. Why ? Secondly, if I would do a copy run start, after a reload the MAC's would they appear in the MAC table? (if so, whats the use of removing them before the reload anyway?) I would assume that you explictly disable sticky learning after the required MAC's are in there. So it would be like:

<network stable>
<enable sticky>
...wait some time...
<disable sticky>
<copy run start>

As far as I understand, the 'sticky' mode is just to auto-generate the config lines you would otherwise have to type manually.

Question2: when you do a 'sh mac-address-table static' , do sticky learned MAC's show up as dynamic or static? I would assume that MAC's that are added by the switch on reload (the ones that are 'saved') show up as static. That would be: secure-static and secure-sticky. The MAC's that aren't saved, show up as dynamic. Which would be secure-dynamic. PS. I'm not talking about 'sh port-security address'.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

iworms

errorken wrote:

Question1: there are some things going on when you disable sticky learning (after it has learned some MAC's). As I understand from the cisco docs, the commands the switch added to the run conf are still there, but the MAC's are removed from the mac table.

Where did you see that Cisco document? I found something opposite on the Cisco site (2950 config guide):

If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configurationwhich makes more sense than what you've said.

errorken

Ok thanks, that clears out the issue. For some reason I cannot find the resource at cisco saying about clearing the MAC table (maybe I misread, I'm going to look for it though).

Anyway, this means that the port-security should *remain* in sticky mode as long as you want the MAC's to be in the configuration file, right? So, it would not be possible to leave a 'slot' of MAC space open for dynamic learning? :

Supose I set the max MAC's to be 20. Next I enable sticky and let it learn 18 MAC's. Then I disable sticky learning and let the remaining 2 slots be filled by (possibly) dynamicaly learned MAC's, that are indeed 'forgotten' after the next reload. To do this I would disable sticky, but then I would lose all the sticky MAC's after the next reload as well :since they become secure-dynamic and are removed from the config file...

(you could probably do a workaround by copying the commands the sticky functionalitity has added to the config , modify the syntax to be added as static MAC, and then paste these lines back in the console)

iworms

Let's see if I understand you: you want to (for example) allow 20 MAC's on a port, of which 18 are static and 2 are dynamic. But typing in 18 addresses is too much work (unless they pay you $50/hr to type it) so you want the switch to do the initial learning and convert the first 18 MAC's into static. But using "sticky" gives you 20 sticky addresses, so you want to disable sticky at 18 but somehow keep the entries as static.

My limited experience tells me there is no fully automated way. The only thing I can think of is what you have said: get the 18 sticky addresses -> copy into a config file -> disable sticky -> manually edit the config file (remove "sticky") -> copy to startup-config -> reload or "copy start run". If anyone knows a better way please post here.

For your question 2, the sticky addresses show up as "STATIC" in the mac table (when I tried on a 2950).