Understanding the finer details of Port Security

Unanswered Question
Feb 11th, 2009
User Badges:

I have begun implementing port security on all of my switches.

Interface FastEthernet0/1

description Access Port

switchport access vlan 100

switchport mode access

switchport nonegotiate

switchport voice vlan 200

switchport port-security

switchport port-security maximum 3

switchport port-security violation shutdown

switchport port-security aging time 5

switchport port-security aging type inactivity

no mdix auto

spanning-tree portfast


One of the issues I have run into is that the mac addresses are learned as static addresses on the port. If the user should happen to change ports a security violation occurs sicne the mac addresses is still learned on the previous port. What is the default behavior when aging is disabled? Will the previous port drop the static mac address thus allowing the user to change ports and casue a security violation?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Wed, 02/11/2009 - 02:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Gary,


switchport port-security aging time 5

switchport port-security aging type inactivity

you need to wait 5 minutes before plugging the device on another switch port.

notice that with maximum 3 a simple swap of two cables is allowed.

if you disable aging the MAC address is associated to the port with a unlimited lifetime.

Be aware that static MAC addresses are kept in a separate table that is quite smaller then normal CAM table.

Hope to help


gchevalley Sun, 02/15/2009 - 22:57
User Badges:

Thanks, I removed the aging time and instead increased the errdisable recovery interval to 600 sec (5 minutes). This should allow people to change the port they are connected to but prevent people from connecting other networking devices (dumb switches). My intent has been for the port to enter an errdisable state should more than 3 mac addresses be learned on the port and for the port to remain disabled for 5 minutes before recovering.


This Discussion