How do i apply multiple mac address on multiple ports for port security

Unanswered Question
Oct 23rd, 2008

I want allow the same set of mac address on different ports and tried the following

switchport port-security

switchport port-security maximum 2

switchport port-security mac-address sticky

switchport port-secuirty mac-address 1111.1111.1111

switchport port-secuirty mac-address 2222.2222.2222

When i enter these commands on one port it accepts it, but the moment i enter this same command on another port on the same switch it says duplicate mac address.

Is there any way to allow what i want do ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a.moch Fri, 10/24/2008 - 04:48


it is a requirement because the failover of server nic's. Each physical nic uses a unique mac address, but if the primary nic fails the secondary nic takes over the mac address of the primary.

Port security disables that port in that case because duplicate MAC address.

Mo'ath Al Rawashdeh Fri, 10/24/2008 - 05:59


Try to use the same configuration above, but without:

switchport port-secuirty mac-address 1111.1111.1111

switchport port-secuirty mac-address 2222.2222.2222

as these two mac addresses will be dynamically learnt and saved to the running config once the server gets connected to the 2 switch ports.

Please provide us with feedback.


a.moch Sat, 10/25/2008 - 01:24

Same result. Switch complains duplicate mac when the failover occurs.

As long both nics are normaly working it is no problem but when the primary nic fails the secondary switch port is disabled because duplicate mac.

allan.thomas Sat, 10/25/2008 - 04:23

Not sure whether this will work in your situation, but it is an option you could possibly try?

Have you tried using port-security mac-address aging when port-security is using dynamic instead of sticky?

You can configure mac-address aging to commence during periods of inactivity, but the question is how quickly the switch learns the mac-address when the standby assume the primary-mac?

In theory you can age out the mac-address on the switchport from anything between 1-1440 minutes.

So after 1 minute of inactivety the mac-address will have aged out. Therefore the primary mac-address could be learned on the other switchport interface? I guess the mac-address will have already been learned before the 1 minute expiry though?

'switchport port-security aging type inactivity'

'switchport port-security aging time 1'



a.moch Mon, 10/27/2008 - 01:55

Thanks for the idea, but it will not work. The failover to secondary nic is in seconds or perhaps milliseconds. 1 minute downtime would be not that what we want.

John Blakley Mon, 10/27/2008 - 07:29

Enable portfast on the port that you're connected to. That will at least help with the cutover time.


a.moch Mon, 10/27/2008 - 08:30

Portfast is enabled but this will not help. Because the port security aging time is still at minimum 1 minute.

dgaunt Tue, 12/16/2008 - 08:35

The following site has information on Switchport Port-Security. What your seeing is called a MAC move violation. When Port security is set up on a port, and the same address is set up on a different port in the same VLAN, it puts the port into violation mode (which by default shuts it down). You might be able to set each port onto a different vlan to fix your particular problem. Considering that your talking about a "trunk" line, you might consider taking the port security off these ports as another option.


This Discussion