Cisco IOS – Configuring a Sticky MAC Address on IOS

cisco-ioscommandport-security

What is the use case of the Switch(config-if)# switchport port-security mac-address sticky 0000.1111.1111 command?

By definition, a sticky address is a learned secure address that is added to the running configuration. By definition, a configured address is a secure address that is statically configured via Switch(config-if)# switchport port-security mac-address 0000.2222.2222.

By manually adding a sticky address, I've added a configured address. The command seems to me redundant and contradictory to the concept of a sticky MAC address.

Even the debug port-security entries in the system log call a sticky a configured address. After having issued Switch# clear port-security sticky address 0000.1111.1111, there are entries such as PSECURE: Deleting secure MAC address 0000.1111.1111 on port and PSECURE: Address is sticky on port and PSECURE: Delete configured address: 0000.1111.1111 from subblock.

Best Answer

While you can manually configure a sticky address, it is not usually used that way (and in fact Cisco recommends against it):

You can configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, it is not recommended.

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.

(source: Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(20)EWA - emphasis is mine)

In other words, when you want to manually configure a MAC address on a port, you use

switchport port-security mac-address nnnn.nnnn.nnnn

but when you want the switch to automatically learn the first MAC seen on a port and remember that (even if there is no traffic seen from that MAC for a long time), then you use:

switchport port-security mac-address sticky

and after the swich learns a MAC address, you will see that it has automatically added:

switchport port-security mac-address sticky nnnn.nnnn.nnnn

Related Solutions

Cisco – Sticky mac learning PC mac as vlan voice on Cisco 3750v2

I have seen this happen before, I think it was on a soft phone. Anyways the fix was disabling cdp on the port.

(config-if)#no cdp enable

Cisco OSPF – Type 5 /32 Routes in Database but Not in Routing Table

As pointed out by DanielDib, the problem is the wrong forward address set in the type 5 LSA.

According to the Cisco documentation, the forward address is basically set, if the next hop Interface of the static route generated by RRI participates in the OSPF routing process. Further details can be found in the linked documentation.

The next-hop of the RRI static routes is set to the default gateway of the ASA interface where the crypto map is applied, in our case the outside interface pointing to the MLS. This next-hop IP is the IP of the interface of the MLS.

At the MLS, the forward address of the LSA (xx.xx.192.21) is an IP address of one of its own interfaces. As the foward address needs to be known as internal OSPF route, the route is not considered to be added to the routing table. The solution hence may be either to have a correct forward address, or to supress the forward address, if required. This question may include further details on this solution.

Best Answer

Related Solutions

Cisco – Sticky mac learning PC mac as vlan voice on Cisco 3750v2

Cisco OSPF – Type 5 /32 Routes in Database but Not in Routing Table

Related Topic