Port Security help (ip phone + pc)

blackberryblackberry Member Posts: 59 ■■□□□□□□□□
I have port security enabled with the following command
switchport port-security
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security aging time 1
switchport port-security aging type inactivity

Every time i switch the ethernet cable to one device to another it does not shut down but just pick up the new mac address. When i enable the sticky command, then the port shuts down, but I feel that the sticky command will cause too much over head when a user moves.

here is what the port security int looks like

SwitchA#show port-security int fa 1/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 1 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 1232.b123.baca:1
Security Violation Count : 0

Ideally, I want the port to shut down without the sticky command and clear the mac address during an inactivity period that I set. any ideas?


  • MstavridisMstavridis Member Posts: 107
    I am confused you are allowing 2 devices as of right now, so are you attaching a third device whe you say "Every time i switch the ethernet cable to one device to another it does not shut down" ?
  • blackberryblackberry Member Posts: 59 ■■□□□□□□□□
    I am attaching a third device to test the shutdown violation
  • higherhohigherho Member Posts: 882
    You need to enable the sticky command for it to work properly. Even if you have max 2 enabled without the mac address sticky command the switch wont know what macs it need to keep bound to that port and their fore wont shutdown the port because it still thinks you are allowing any through.


    I read Jason's statement and I thought I stated the same thing but I did it poorly. He is correct, any two macs can be on it at the same time thats it but mac sticky will only allow whatever first two macs get on there only (or manually entered).
  • Jason0352Jason0352 Member Posts: 59 ■■□□□□□□□□
    The way you have it set up now is any 2 MACs can be connected to the port - but if you introduce more than 2 MACs on that port it shutsdown. Sticky or manually adding the MAC address to the port is the only way it's going to track MACs and shutdown the port if it senses different MACs. It really isn't too bad in terms of overhead if you have syslog events setup to email you whenever port-security violations are triggered.
Sign In or Register to comment.