Security on Switchports

Unanswered Question
Jun 2nd, 2008

Can someone please explain to me the difference between the commands, "switchport port-security" (which is the only mandatory command needed to configure port security); and also the "switchport port-security mac-address sticky" command. Doesn't the the first command use the first MAC it sees just like Sticky.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 06/02/2008 - 07:20

The sticky option in the command tells the switch to add the mac-addresses learnt on the interface to the running config. If you then save that running config and the switch is reloaded it will use those mac-addresses when it has rebooted. See this link for more details:


Amit Singh Mon, 06/02/2008 - 07:26

Hi Jon, How are you !!

Just to ad to Jon's post,by default this sticky option writes all the dynamically learned addresses to the running-config and you can also define the statically configured mac-addresses with the sticky option to be added to running-config.


-amit singh

Jon Marshall Mon, 06/02/2008 - 07:29


Haven't seen you around for a while or maybe i just keep missing you. I'm good, taking a bit of time off work but still keeping my hand in with NetPro when i get the chance :-)

Hope things are good with you


Pravin Phadte Mon, 06/02/2008 - 07:27

The first one switchport port-security is straight forward, you know the mac-address on that port and you configure it so.

The second one switchport port-security mac-address sticky gives you more flexibility. The mac-address can be dynamically learned. The actual command you type in is:

"switchport port-security mac-address sticky"

The switch then automatically add the command:

"switchport port-security mac-address sticky H.H.H" once it learned the mac-addresss.

You can also manually configured it but you might as well configure as in the first one.

network489 Mon, 06/02/2008 - 07:37

I was told that by simply entering the swichport port-security command, we accept the default settings of only allowing one MAC address, and determining that MAC address from the first device that communicates on that specific port. Which seems to be the same idea behind "Sticky".

Jon Marshall Mon, 06/02/2008 - 07:43

You are correct in that only one mac-address is allowed but if you then disconnected the device on that port and connected another device then you still only have one mac-address on that port and so it would be allowed.

With sticky you are specifying the actual mac-address that is allowed on that port so if you connect a different device it will not be allowed.



This Discussion