cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
155470
Views
30
Helpful
7
Replies

What exactly does mac-address sticky do?

ece344609_2
Level 1
Level 1

Hi all,

We have implemented port security on our IOS switches and one of the options is mac-address sticky. I wanted to know what it does and whether it should be implemented in conjunction with port security.

Thanks all.

7 Replies 7

alsayed
Level 1
Level 1

Hi

sticky means;tany when u reload the Switch.then the Switch Still save the mac address Learnede.g when you configure switch-port port-security max 2

10xs

Edison Ortiz
Hall of Fame
Hall of Fame

It dynamically associates the mac-address to the port. Without the sticky option, the mac-address association goes away after a specified period of time.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_37_se/command/reference/cli3.html#wp1948361

HTH,

__

Edison.

Thanks guys.

edisson my Senior!

the mac-address association goes away after the reboting Also if you ignore the sticky Keyword.but with the sticky the port save the Mac-address Forever

Ali,

You are indeed correct. From the link I posted:

When you enable sticky learning on an interface by using the switchport port-security mac-address sticky interface configuration command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds all sticky secure MAC addresses to the running configuration.

It validates your posting.

Also, some additional information:

If you disable sticky learning by using the no switchport port-security mac-address sticky interface configuration command or the running configuration is removed, the sticky secure MAC addresses remain part of the running configuration but are removed from the address table. The addresses that were removed can be dynamically reconfigured and added to the address table as dynamic addresses.

When you configure sticky secure MAC addresses by using the switchport port-security mac-address sticky mac-address interface configuration command, these addresses are added to the address table and the running configuration. If port security is disabled, the sticky secure MAC addresses remain in the running configuration.

f you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the interface shuts down, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost. If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.

If you disable sticky learning and enter the switchport port-security mac-address sticky mac-address interface configuration command, an error message appears, and the sticky secure MAC address is not added to the running configuration.

Hi all

I have another questions related to the subject, maybe one of you knows the answer:

I don't get why we have two possibilities to add a MAC address to the configuration:

switchport port-security mac-address 1234.5678.9012

- or -

switchport port-security mac-address sticky 1234.5678.9012

Why would one want to use the second command, if the first one does the job of entering the address into the secure MAC table and the configuration?

A theory for the second command: Is it possible that the switch only adds the address to the table and eventually raises the counted addresses (towards the maximum limit) if it is actually *seen* on the port? So as long as that listed sticky address is not seen on the port, other dynamic addresses may "use up" the max counter before the stated one becomes active (and get's blocked in the process)?

(To make things more complicated: The acceptance of the commands even varies between platforms: a 3560 w/ 12.2(50)SE4 allows both commands, a Cat3550 w/ 12.2(46)SE6 only allows the first one an the second w/out the last MAC argument)

Thanks for any help!

Toni

As you mentioned two commands in your question

switchport port-security mac-address mac-address

and

switchport port-security mac-address sticky

 

The 2nd command is used for dynamically assign the MAC Address to switchport when the device is connected to this port and when MAC is assigned to the switchport, it's permanently assigned to that port. Now when new device will be attached to this switchport that will be denied by the switch.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: