Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

switchport port-security mac-address sticky issue

We have 2 Catalysts 3550 interconnected via Gigabit ports on different locations.

On switch1 we used the following setting for a specific server:

interface FastEthernet0/37

description SASP04

switchport access vlan 26

switchport trunk encapsulation dot1q

switchport trunk native vlan 26

switchport trunk allowed vlan none

switchport mode access

switchport nonegotiate

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 000b.cdf1.24c5

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

spanning-tree guard root

Now we have moved this server to the other switch2 and configured the new port in the same way:

interface FastEthernet0/34

description SASP04

switchport access vlan 26

switchport trunk encapsulation dot1q

switchport trunk native vlan 26

switchport trunk allowed vlan none

switchport mode access

switchport nonegotiate

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 000b.cdf1.24c5

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

spanning-tree guard root

Without touching the config on switch1.

The strange thing is we saw traffic increasing all several ports all with destination or source to the moved server.

We then removed the port-security commands from port FA0/37 on switch1 and then the traffic dropped to normal level again.

Can someone explain this behaviour to me?

rgds, Geert.

1 REPLY
Silver

Re: switchport port-security mac-address sticky issue

Assuming that the port on switch 1 was notconnected at the time, the switch accepts frames for destination address 000b.cdf1.24c5 - because it is stored in configuration [however a port that is notconnected should be pruned from the mac-address-table] but cannot forward it to the destination port and floods traffic througout all ports on the switch. If possible reproduce this behavior in a lab environment and if you're running the latest software 12.2(25)SEE report this to TAC.

From the 12.2(25)SEE documentation:

When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swtrafc.htm#wp1096271

Sticky secure MAC addresses -- These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, we do not recommend it.

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky interface configuration command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.

The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the configuration, they are lost.

If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.

HTH

Leon

* Please rate posts if you find them helpful.

632
Views
4
Helpful
1
Replies