Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MAC port security with diagnostic equipment

I have recently started to impliment MAC address based port security on 4507's. I can get the ports secure and everything is working fine however how do I handle having a diagnostic device on the port eventually?

I tried to use a statically assigned address for my fluke on every port but I get a message saying it's a duplicate. It seems like I'm not able to have the same MAC address allowed on more than 1 port, which makes sense. What can be done for test equipment though? I suppose I can remove the port security everytime I need to test a port but that seems rather tedious.

Cisco Employee

Re: MAC port security with diagnostic equipment

What is the configuration that you have done on the switchports.Have you done static mac-address config or sticky mac-address config on the switchports.

You can increase the MAX-MAC count to 2 on the switchports.By default the MAX mac count on the switchports is 1. Unless the mac-adress is statically configured on the switchport or learned through " dynamic sticky " method, the mac-address wipes out from the switchport the moment you disconnect the PC from the port.


-amit singh

New Member

Re: MAC port security with diagnostic equipment

From the point of view of the Catalyst Switch, the diagnostic equipment is just any other host attempting to send traffic on that port.

If your diagnostic tool is a layer1 device then it most probably wont have any mac-address and will not send out "ethernet" packets (as they are at Data-link layer2). So it will not interfere with port security.

However, if your device is a layer2 tool sending/receiving ethernet packets then the switch is bound to complain about port security violations.

How about clearing the port security binding on that port with a clear port-security command? You can issue this command, do your testing, issue it again and connect the original host. that should do the trick!