Limit and Learn MAC Addresses

Posted: 11th September 2020 by ccna7guru in ITN

To set the maximum number of MAC addresses allowed on a port, use the following command:

Switch(config-if)# switchport port-security maximum value 

The default port security value is 1. The maximum number of secure MAC addresses that can be configured depends the switch and the IOS. In this example, the maximum is 8192.

S1(config)# interface f0/1
S1(config-if)# switchport port-security maximum ?
<1-8192> Maximum addresses
S1(config-if)# switchport port-security maximum

The switch can be configured to learn about MAC addresses on a secure port in one of three ways:

1. Manually Configured

The administrator manually configures a static MAC address(es) by using the following command for each secure MAC address on the port:

Switch(config-if)# switchport port-security mac-address mac-address

2. Dynamically Learned

When the switchport port-security command is entered, the current source MAC for the device connected to the port is automatically secured but is not added to the startup configuration. If the switch is rebooted, the port will have to re-learn the device’s MAC address.

3. Dynamically Learned – Sticky

The administrator can enable the switch to dynamically learn the MAC address and “stick” them to the running configuration by using the following command:

Switch(config-if)# switchport port-security mac-address sticky 

Saving the running configuration will commit the dynamically learned MAC address to NVRAM.

The following example demonstrates a complete port security configuration for FastEthernet 0/1 with a host connected to port Fa0/1. The administrator specifies a maximum of 2 MAC addresses, manually configures one secure MAC address, and then configures the port to dynamically learn additional secure MAC addresses up to the 2 secure MAC address maximum. Use the show port-security interface and the show port-security address command to verify the configuration.

*Mar 1 00:12:38.179: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:12:39.194: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
S1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)#
S1(config)# interface fa0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 2
S1(config-if)# switchport port-security mac-address aaaa.bbbb.1234
S1(config-if)# switchport port-security mac-address sticky
S1(config-if)# end
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1# show port-security address

switchport port-security mac-address sticky