Port Security - Real World Advice\Experience

Ok I'm doing some more work on port security and am happy enough with everything. So I'm now looking to roll this out to a production enviroment and I get to thinking about clearing any violations that occur following office moves etc. Now that's easy enough to deal with as desktop support are usually aware of this and will let us know which ports are going to be affected so we can clear the mac addreses as needed.

But I was wondering what to do in situations such as conference rooms where multiple (Unkown number) devices could be connected to the Lan.

I suspect I will set a HIGH max-number and monitor it.

I've been looking around and found I can set a timer on any violations and wondered if it was possibll to set some kind of automatic clear of the mac address, I'll have another look for that tomorrow but does anyone know if thats possible?

How do others deal with these issues?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

ColbyG

Aging time is what clears the MAC after a period of time. You can avoid the port going err-disable by using restrict or protect.

laidbackfreak

Cheers Colby only skimmed the article but I was under the impression it cleared the error but mainted any known mac address.

I'll double check it

ColbyG

I'll explain it a little better. When using "switchport port-security maximum 2" (for instance), the switch allows two MACs connected at a time, by default, when one host is unplugged its MAC is cleared. If you were to use the "switchport port-security aging time 5" command, it would take 5 minutes for that MAC to age out once the host was disconnected.

Does that make more sense?

laidbackfreak

Ah yes that makes more sense, so following on from that. What happens if sticky ports are in place ?

Bl8ckr0uter

laidbackfreak wrote: »

Ah yes that makes more sense, so following on from that. What happens if sticky ports are in place ?

That port will associate a mac address to it for a particular amount of time. From there you can do switchport port-sec vio shutdown and kill the port. Then someone would have to issue a no shut command to get the port back up.

I think the standard is 2 sticky macs (1 for the phone, and 1 for pc). Keep in mind though that many phones (like mine) are switches themselves so keep this in mind if you have users that use more that 2 things that connect via ethernet (like me).

laidbackfreak

knwminus wrote: »

That port will associate a mac address to it for a particular amount of time.

I was under the impression that the sticky feature put the mac address into the running config. And the only way to clear it was to issue a clear command (or no switchport security).

If there is a way to clear it automatically I'd love to know, but I kinda think that defeats the purpose of having sticky ports.

ColbyG

This link explains sticky pretty well:

Cisco Port Security and Sticky MAC Addresses

Bl8ckr0uter

So we were both right....great find Colby!