cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3558
Views
15
Helpful
9
Replies

switchport port-security mac-address sticky

Hardi Ahmed
Level 7
Level 7

dear Expert:

I have a spare Cisco 2960 switch in my LAN, all of the ports are administrativly down except of port 0/23, which is directly connected to another switchpot.

my question is: I activated port security on this interface and all of the time I find 14 stick Mac-address on this interface, what is the reason?

much appreciate your explanation.

regards,

3 Accepted Solutions

Accepted Solutions

stephen.stack
Level 4
Level 4

Here is a good link to understand why you are seeing multiple MAC address on an uplink port to another switch.

http://www.ciscopress.com/articles/article.asp?p=101367

In a nutshell, each switch will learn where various MAC address are on an ethernet network. As this port is an uplink (presumably a trunk) to another switch and hosts are broadcasting on other switches, this switch will see the traffic and place the sending stations MAC addresses in it's CAM (memory) table. i.e. mac address and port from which it last saw the traffic.

Do please read over Layer2 basics above.

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

View solution in original post

Of course, forgot to mention this also. Port security on trunks is a no-no

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

View solution in original post

On an access port, you will get a single mac-addresses. As long as the same is not connecting VM, a blade, a chassis etc.

View solution in original post

9 Replies 9

Jan Hrnko
Level 4
Level 4

Hi,

Most probably there are other machines connected through that switchport as well. What does this port connects to, another switch? If so, you will see many mac addresses, probably due to broadcast propagation.

Are you checking it on the switch with disabled ports or you mean that you see these addresses on the other side?

Best regards,

Jan

stephen.stack
Level 4
Level 4

Here is a good link to understand why you are seeing multiple MAC address on an uplink port to another switch.

http://www.ciscopress.com/articles/article.asp?p=101367

In a nutshell, each switch will learn where various MAC address are on an ethernet network. As this port is an uplink (presumably a trunk) to another switch and hosts are broadcasting on other switches, this switch will see the traffic and place the sending stations MAC addresses in it's CAM (memory) table. i.e. mac address and port from which it last saw the traffic.

Do please read over Layer2 basics above.

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

devils_advocate
Level 7
Level 7

Personally I wouldn't be enabling port security on connections to other switches.

As its connected to another switch, its learning the MAC addresses of the hosts connected to that switch because a switch needs to know where to forward frames based on the CAM table.

Of course, forgot to mention this also. Port security on trunks is a no-no

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

OK, 1 more question,

what happen if I apply below commands on the same interface?

  - switchport block multicast

  - switchport block unicast

Here is your reply :

Switch(config-if)# switchport block multicast

Blocks unknown multicast forwarding to the port.

Switch(config-if)# switchport block unicast

Blocks unknown unicast forwarding to the port.

Parvesh Paliwal
Level 3
Level 3

if you are on a trunk, you will fine multiple mac-addresses on the same.

OK, but what a bout access port?

On an access port, you will get a single mac-addresses. As long as the same is not connecting VM, a blade, a chassis etc.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: