Solved

How do you clear a Cisco Switch Port Security Sticky settings?

Posted on 2012-04-02
7
1,395 Views
Last Modified: 2012-08-13
I had several ports err-disable.  I tried to shut/no-shut, but the ports went err-disable again.
(No mac-address was specified in the config)

 Then I removed ALL port-security commands, then reinstalled them (including the "sticky" command, but NO specific MAC-addresses).  They still went into err-disable.  

What steps are required to insert new servers into an switchport that was configured for port-security?

 I found the same problem on both 2960 and 2560 switches.

Thanks
0
Comment
Question by:jimmycher
  • 3
  • 2
  • 2
7 Comments
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
The order

Look at the conf for the MAC that it has assigned.  

sh run int f0/2 (substitute your interface)

conf t
int f0/2 (same as above)
no switchport port-security mac-address xxxx.xxxx.xxxx (the old MAC address)
no shut


That should bring the interface back up. If not then look for a duplicate MAC address (are you moving this device from one location to another?
0
 
LVL 4

Expert Comment

by:schmitty007
Comment Utility
If these are VM servers which sounds like they might be if they are triggering your err-disable state on the switch port. The sticky commands means the switch-port will learn what MAC address is connected to that port and will write it into its running configuration. Its a way to have the switch automatically add the MAC address of the device connected without specifying it manually. The default action of port-security is set to disable you can set this to restrict as well.

Something you can try is to increase the number of maximum MACs learned on that switch port the default is only 1 so if you have VM servers you will need to increase this number to how ever many VMs you have +1 for the Host.
Example
 Switch(config)# interface gi0/14
 Switch(config-if)# switchport port-security maximum 4
0
 

Author Comment

by:jimmycher
Comment Utility
The config only showed:

  int F0/1
    vlan 1
    switchport port-security
    switchport port-security mac-address sticky

There was no specific MAC address in the config on that interface.

The duplicate MAC address comment might be germane however, since some unused ports did have a MAC address specified.    I'll have to double check.   I guess you are saying that if a MAC address is specified on int F0/27, then you can't plug that server's MAC into F0/1 ?  That makes sense, and is something I'll check on.

Is there ever a need to clear ARP or anything else?

Thanks
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:jimmycher
Comment Utility
Good info Smitty007, but these were stand-alone servers.  I'm thinking the MAC address specified on another switchport is the problem.
0
 
LVL 26

Accepted Solution

by:
pony10us earned 150 total points
Comment Utility
Only on rare occasions have I had to clear the ARP for this situation. Normally it is either a duplicate MAC somewhere or a previously assigned MAC on the port in question.  You can look at the MAC address table to see if either of these situations appear.

show mac-address-table

And I would also consider what Schmitty007 said if you are using VM's.
0
 
LVL 4

Assisted Solution

by:schmitty007
schmitty007 earned 50 total points
Comment Utility
If single servers I would agree the switch has that Mac in its config. If its static to the port a show run will tell you which port.
0
 

Author Closing Comment

by:jimmycher
Comment Utility
Many thanks for ultra-quick respones.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now