Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Difference between sticky and non sticky

Hi all,

what's the difference between

a) switchport port-security mac-address xxxx.xxxx.xxxx

b) switchport port-security mac-address sticky xxxx.xxxx.xxxx

Somewhere deep down in the documentation I find that you may use both, but should prefer the version without sticky. Why ? Is there a difference ? At a first glance, I don't see any.

Maybe "sticky xxxx.xxxx.xxxx" in a config is just an indicator to give you a quick visual indication that this mapping was learned and written to the config dynamically - opposed to static mapping without "sticky"? If so, what sense is behind doing static mapping and still be able to use sticky in combination with static mac-addresses like in version b) above ?




Re: Difference between sticky and non sticky

I hope this helps:

"After you have set the maximum number of secure MAC addresses on a port,

the secure addresses are included in an address table in one of these


- You can configure all secure MAC addresses by using the switchport

port-security mac-address mac_address interface configuration command.

- You can allow the port to dynamically configure secure MAC addresses

with the MAC addresses of connected devices.

- You can configure a number of addresses and allow the rest to be

dynamically configured.

Note If the port shuts down, all dynamically learned addresses are


- You can configure MAC addresses to be sticky. These can be dynamically

learned or manually configured, stored in the address table, and added to

the running configuration. If these addresses are saved in the

configuration file, the interface does not need to dynamically relearn

them when the switch restarts. Although sticky secure addresses can be

manually configured, it is not recommended."

< af.html>

The point is with using 'Sticky', this feature essentially is allowing you to set the maxumim number of DYNAMIC learned mac addr's (or nodes) that can tx/rx frames on this port. The the switchport port-security max command is a safeguard to prevent someone connecting a hub to the port for example. Or even a another switch. Without the switchport port-security command we would be unable to stipulate which node based on mac address ID, to allow to use the port.

Perhpaps the way to think about this, and to make it very clear is to imagine if you did not have this flexibility - what would be the drawbacks?



pls rate this post if it helped.

New Member

Re: Difference between sticky and non sticky

Hi Ajaz,

I just wonder why there is a possibility to say "mac sticky" and then specify a static mapping in the same statement. As far as I can see now, it should be _either_ static mapping _or_ sticky mapping (=dynamic learning that does not expire), the mixed version seems to be odd.

For static mappings (where the MAC is already known), I would use "sw po mac xxxx.xxxx.xxxx" without sticky, since an address I already know and configure manually is never "sticky learned".

OTOH, when I want to learn MAC addresses and turn them into static mappings, I'd use "sw po mac sticky" without specifying the actual MAC.

It's just the mixture of both that doesn't make too much sense to me:

- Sticky learning itself is activated independently (sw po mac sticky)

- Manual static mapping has nothing to do with stickyness

- dynamic learning can be non-sticky (normal behaviour) or sticky (dynamically learned addresses are turned into static mappings).

So what use is there for static + sticky ?


It's just that I look for a certain consistency in an interface. Since static mapping is the opposite of dynamic learning, regardless whether the dynamic addresses stay a certain time (non sticky) or "forever" (sticky), I still don't see what exactly a static sticky MAC address is.

If it's just an inconsistency like router interfaces starting with f0/0 and switches starting with f0/1, that's ok with me. I just want to know :). But maybe I don't see a use case where you need static sticky and can't do it any other way.

Best wishes,



Re: Difference between sticky and non sticky


I would put this down to an IOS anomaly and at the end of the day the Cisco IOS SW engineers who prepare the code are allowing us to view and configure these options. Although they do a marvelous job as a whole there are somethings in the IOS which just seem odd or inconsistent. This sticky command is just one of those examples. That said I have a feeling this would not be considered to be a major SW defect. It just causes confusion.

As long as you have a good grasp of the difference of max, sticky and static mac-addr port-security - you'll just fine!

this just confirms what the options are:


hope you have a fabulous w/end.


CreatePlease to create content