a) switchport port-security mac-address xxxx.xxxx.xxxx
b) switchport port-security mac-address sticky xxxx.xxxx.xxxx
Somewhere deep down in the documentation I find that you may use both, but should prefer the version without sticky. Why ? Is there a difference ? At a first glance, I don't see any.
Maybe "sticky xxxx.xxxx.xxxx" in a config is just an indicator to give you a quick visual indication that this mapping was learned and written to the config dynamically - opposed to static mapping without "sticky"? If so, what sense is behind doing static mapping and still be able to use sticky in combination with static mac-addresses like in version b) above ?
The point is with using 'Sticky', this feature essentially is allowing you to set the maxumim number of DYNAMIC learned mac addr's (or nodes) that can tx/rx frames on this port. The the switchport port-security max command is a safeguard to prevent someone connecting a hub to the port for example. Or even a another switch. Without the switchport port-security command we would be unable to stipulate which node based on mac address ID, to allow to use the port.
Perhpaps the way to think about this, and to make it very clear is to imagine if you did not have this flexibility - what would be the drawbacks?
I just wonder why there is a possibility to say "mac sticky" and then specify a static mapping in the same statement. As far as I can see now, it should be _either_ static mapping _or_ sticky mapping (=dynamic learning that does not expire), the mixed version seems to be odd.
For static mappings (where the MAC is already known), I would use "sw po mac xxxx.xxxx.xxxx" without sticky, since an address I already know and configure manually is never "sticky learned".
OTOH, when I want to learn MAC addresses and turn them into static mappings, I'd use "sw po mac sticky" without specifying the actual MAC.
It's just the mixture of both that doesn't make too much sense to me:
- Sticky learning itself is activated independently (sw po mac sticky)
- Manual static mapping has nothing to do with stickyness
- dynamic learning can be non-sticky (normal behaviour) or sticky (dynamically learned addresses are turned into static mappings).
So what use is there for static + sticky ?
It's just that I look for a certain consistency in an interface. Since static mapping is the opposite of dynamic learning, regardless whether the dynamic addresses stay a certain time (non sticky) or "forever" (sticky), I still don't see what exactly a static sticky MAC address is.
If it's just an inconsistency like router interfaces starting with f0/0 and switches starting with f0/1, that's ok with me. I just want to know :). But maybe I don't see a use case where you need static sticky and can't do it any other way.
I would put this down to an IOS anomaly and at the end of the day the Cisco IOS SW engineers who prepare the code are allowing us to view and configure these options. Although they do a marvelous job as a whole there are somethings in the IOS which just seem odd or inconsistent. This sticky command is just one of those examples. That said I have a feeling this would not be considered to be a major SW defect. It just causes confusion.
As long as you have a good grasp of the difference of max, sticky and static mac-addr port-security - you'll just fine!
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...