why to use the sticky command with port-security

Unanswered Question
May 23rd, 2007

hi i would like to know as to why we need the sticky keyword with port-security.

without the sticky keyword and if the maximum value of mac-address allowed on that port is 1. so anyways when the switch learns the first mac-address it will add the mac-address to the secure mac-address table. then why do we need the sticky keyword.

can someone pls explain this to me.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
ankbhasi Wed, 05/23/2007 - 10:15

Hi Sebastan,

All sticky secure MAC addresses are added to the running configuration. Dynamically configured secure mac addresses are stored only in the address table, and removed when the switch restarts.

If sticky keyword is added dynamically learned or manually configured secure mac addresses are stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, you need not dynamically reconfigure them.




*Pls rate all helpfull post

sebastan_bach Wed, 05/23/2007 - 18:06

hi so u mean to say the only difference is that with sticky keyword when the switch restarts it need not learn the secure mac-address again right.

without the sticky command the switch will have to learn the mac-address dynamically everytime the switch restarts.

can we add sticky keyword for dynamically learned mac-address .



ankbhasi Wed, 05/23/2007 - 19:51

Hi Sebastan,

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning.

To enable sticky learning, enter the "switchport port-security mac-address sticky" interface configuration command.

When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.

All sticky secure MAC addresses are added to the running configuration.

The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.



*Pls rate all helpfull post

tgrundbacher Thu, 05/06/2010 - 07:54

Hi all

I have another questions related to the  subject, maybe one of you knows the answer:

I don't get  why we have two possibilities to add a MAC address to the  configuration:

switchport port-security mac-address  1234.5678.9012

- and/or -

switchport port-security  mac-address sticky 1234.5678.9012

Why would one want to  use the second command, if the first one does the job of entering the  address into the secure MAC table and the configuration?

A  theory for the second command: Is it possible that the switch only adds  the address to the table and eventually raises the counted addresses  (towards the maximum limit) if it is actually *seen* on the port? So as  long as that listed sticky address is not seen on the port, other  dynamic addresses may "use up" the max counter before the stated one  becomes active (and get's blocked in the process)?

(To make things more complicated: The acceptance of  the commands even varies between platforms: a 3560 w/ 12.2(50)SE4 allows  both commands, a Cat3550 w/ 12.2(46)SE6 only allows the first one an  the second w/out the last MAC argument)

Thanks for any  help!


tgryting Sun, 11/14/2010 - 15:49

Once the sticky addresses are saved to the startup config, then no one can just pull the power cord and connect a laptop to the switch during the boot process, because the switch will remember the previous mac address in the startup config and move to the laptop port into the err-disable state (for violation shutdown).  (Of course, unused ports should already be shutdown and moved to an unused VLAN).

I'm not sure why anyone would need or want to use the "switchport port-security mac-address sticky 1234.5678.9012" command...that command is not supported on my 4507's or 3750's...

Talha Ansari Sun, 11/14/2010 - 21:13

sticky command is used to avoid pain of statically configuring each and every mac address on the switch port.


This Discussion