port security duplicate mac address

Unanswered Question
Jun 12th, 2007
User Badges:

hi lads ,

wea re using port security with a maximum of 10 mac-addresses specified . WE are also using the sticky feature to aid the configuration. Everything is on one vlan in the organisation. Heres the problem when we take a laptop from a port int a different departmetent up to the I.T department and plug it into one of our ports , it doesn't work . The new port dosent go into an err-disable state and if we try to speific the mac address on the new port port we get "Mac address already exists . The mac-add is under the old port , when we remove the entry fom the old port it works any ideas . 3750 stack running 12.2(25) SEB4.

Thanks in advance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco_lad2004 Tue, 06/12/2007 - 12:01
User Badges:
  • Gold, 750 points or more


check teh config of the 1stswitch and check if teh mac address has been added to it. this is what "port-security mac-address sticky" and if it is the case, of course you will have a duplicate mac-address.

to remove it, use "no switchport port-security mac-address mac-address" this should clear your issue.



kcornally Wed, 06/13/2007 - 03:24
User Badges:

hi lads

thanks for the replies.

Yes I have speficed a time and action but the mac address stays ubder the original port but when I do a sh mac-address table xxxxx.xxxx.xxxx the mac address is no longer mapped to any port . The new port still passes no traffic.

kcornally Wed, 06/13/2007 - 04:26
User Badges:

here is the configuration as you can see the time and aging action have been specifed but it dosent work. Is there something we are missing here or is this a possible issue with the cam table and aging mac addresses timer on the interface .

Any ideas would be great....

interface FastEthernet4/0/27

switchport mode access

switchport port-security

switchport port-security maximum 10

switchport port-security aging time 6

switchport port-security aging type inactivity

switchport port-security mac-address sticky

switchport port-security aging static

switchport port-security mac-address sticky 000b.cdf7.2748

switchport port-security mac-address sticky 0012.79be.d781

switchport port-security mac-address sticky 0015.60bb.a189

switchport port-security mac-address sticky 00b0.d018.0034

switchport port-security mac-address sticky 00c0.9f76.7e83

switchport port-security mac-address sticky 00c0.9f76.7ea5

spanning-tree portfast

spanning-tree bpduguard enable

kcornally Wed, 06/13/2007 - 05:33
User Badges:

also I noticed that under the remaining time in the age colum under the show port-security

is set ot a - sign , it should give a relevant number as time decreases instead its stuck at - .

Again any idea would be great.

Edison Ortiz Wed, 06/13/2007 - 05:39
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Do you shutdown the laptop before taking it to a new port at the other location ?

kcornally Wed, 06/13/2007 - 05:52
User Badges:

thanks for all the posts lads,

I believe I've figured it out , you dont appear to be able to use the sticky command under the interface and also the aging-time .

When the sticky command is removed the time out works fine , although you can type in both commands the timeout will never work because the sticky command copies the mac address to the config .

Edison Ortiz Wed, 06/13/2007 - 06:02
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Ah, so one of the mac-address listed above was the laptop's ? Well, yeah, you are statically associating that mac-address to the port.

cisco_lad2004 Wed, 06/13/2007 - 07:58
User Badges:
  • Gold, 750 points or more

use "no switchport port-security mac-address mac-address" this should clear your issue.

once u have removed ur PC, use teh above then recheck if mac address is still part of the config...it shoudl not be there anymore which means no duplication.


This Discussion