Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

After issuing the "port security max-mac-count" or "switchport port-security maximum" command, the switch does not forward packets

Core issue

To set the maximum number of max addresses allowed on a port when port-security is configured, the port security max-mac-count command can be used on 2900 and 3500 XL switches and the switchport port-security maximum command can be used on 2940, 2950 and 2955, 2970, 3550 or 3750 series of switches.

When one of these commands are issued, MAC address entries are not released when a device becomes inactive due to the no aging timer being set.

Resolution

When the port security max-mac-count <1-132> or switchport port-security maximum <1-128> command is configured on a port, the port learns the MAC addresses of the devices connected to the port. You can also manually enter the addresses, up to the specified number of allowed MAC addresses.

When the port security max-mac-count is configured on a 2900 and 3500 XL switch, the addresses that are learned do not age and are not lost when the switch resets. If the switchport port-security maximum command is configured on the 2940, 2950 and 2955, 2970, 3550 or 3750 series of switches, then the addresses do not age out until the switch is reset. If another device is connected to the port after the maximum number has been reached, the port will not permit the new MAC address, even if one or more of the original MAC addresses are inactive.

If the switchport port-security maximum command is configured on the 2940, 2950 and 2955, 2970, 3550 or 3750 series of switches, then the addresses that are learned age out once the switch is reset.

To avoid having to manually delete the existing secure MAC address, the port security aging time <time> interface configuration mode command on the 2900 and 3500 XL switch and the switchport port-security aging time <time> command on the 2940, 2950 and 2955, 2970, 3550 or 3750 series of switches may be issued. The time value has a valid range of 1 to 1,440 minutes. The default time is 0 minutes. A value of 0 disables the aging time. The port security aging time command for the 2900 and 3500 XL switches is present in Cisco IOS  Software version 12.0(5) WC5, but not in any of the previous versions in the WC train. It is not present in the XU or XP code. If you want to use this command, you must upgrade to Cisco IOS Software 12.0(5) WC5.

You can issue the port security aging or switchport port-security aging time command to set the aging time for all dynamic and static secure addresses on a port. When port security aging is enabled on a port, the secure addresses on the port are deleted only if they are inactive for the specified aging time.

Note: This feature is not available on the Catalyst 2900 Long-Reach Ethernet (LRE) XL switches.

This example shows how to set the port security aging time to two hours on the port of an XL switch:

Switch(config)#interface fa0/1
  Switch(config-if)#port security aging time 120

This example shows how to set the port security aging time to two hours on the port of 2940, 2950 and 2955, 2970, 3550 or 3750 series of switches:

Switch(config)#interface GigabitEthernet0/5
  Switch(config-if)#switchport port-security aging time 120

To disable port security aging for all secure addresses on a port, issue the no port security aging time or no switchport port-security aging time interface configuration command based on the switch that you are using.

To verify the entry, issue the show port security [interface-id] or show port-security address command as appropriate.

For more information, refer to these documents:

11977
Views
0
Helpful
0
Comments