static mac address is stuck on a port

Posted on 2014-03-10
Last Modified: 2014-03-15
Hi all,

I have some Cisco 2975 as access switch running on the floors. Before implementing 802.1x, we were able to move PC from one office to another without doing anything else.

After we implemented 802.1x, the mac address of PC tended to get stuck on a port. The new port that the PC is connected to does not learn the mac address of the PC. This issue might not have anything to do with 802.1x, but this all started after we implemented 802.1x so I am blaming it.

I tried to remove the static mac address of the PC from the old port by using the no mac-address table static without any success.

I was running 12.2 (46) before. opened up an ticket with Cisco, they said it might be a bug with the version and suggested to upgrade the switch to 12.2 (55). After the upgrade, I enabled authentication mac-move. but it doesn't do anything and the issue persisted.

For now, the only solution is to switching the cable every time a PC is moving from one office to another.

Do you guys have the same issue and any solutions to it?

Question by:tmatty102
  • 4
  • 3
  • 2
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 39918015

Please provide us the port configs, did you configured mac security ?
LVL 26

Expert Comment

ID: 39918033
Do you have port security turned on?


interface GigabitEthernet5/1
 description Gi5/1
 switchport access vlan 300
 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 2
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky xxxx.xxxx.xxxx
 switchport port-security mac-address sticky xxxx.xxxx.xxxx
 spanning-tree portfast
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 39918042
In this case you need in the ena mode:

clear port-security dynamic
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39918047
port security is not configured on the port.

below is an example of the port configuration..

interface GigabitEthernet1/0/33
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 110
 no logging event link-status
 power inline consumption 7200
 authentication event fail action authorize vlan 99
 authentication event no-response action authorize vlan 99
 authentication host-mode multi-domain
 authentication port-control auto
 authentication violation protect
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-reauth-req 3
 spanning-tree portfast
LVL 26

Assisted Solution

pony10us earned 500 total points
ID: 39918105
Refer to

Specifically for the following:

authentication port-control auto
authentication violation protect

This is basically port security under Dot1x

You may want to verify that someone didn't turn off the MAC move

authentication mac-move permit

Use the authentication mac-move permit global configuration command to enable MAC move on a switch. Use the no form of this command to return to the default setting.

authentication mac-move permit

no authentication mac-move permit

Syntax Description

This command has no arguments or keywords.


MAC move is enabled.

Author Comment

ID: 39918118
Hi pony10us,

Thank you for the info, I have those that you mentioned enabled on the switch already. This include authentication mac-move permit, authentication port-control auto, and authentication violation protect

Thanks though.
LVL 26

Expert Comment

ID: 39918164
I didn't include the rest but it appears to be related to the 802.1x as you mentioned originally:

"MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs. "

Accepted Solution

tmatty102 earned 0 total points
ID: 39918674
The problem seems to be related to the authenticated session and I have found the solution.

The solution is to use authentication violation replace  instead of protect

I think it's because I did not figure a timeout for a session or re-authenticate after a certain period, the session took place at first does not get expired and when a new device is plug into the interface, the port-control protect the interface by not allowing the new mac address to be learned.

With authentication violation replace,  the switch will accept the new mac address, go through the authentication process and replace the old mac address on the interface if the device get authenticate successfully.

Note: This option does not available prior to IOS version 12.2 (55)

Author Closing Comment

ID: 39931107
My comment was the final solution for question I asked.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
asset tags - importance 3 57
How Can i get Two 3-User licenses of Quickbooks to work??? 6 87
Is Fedora an appropriate distro for the environment. 7 93
Problems with VPN 4 27
Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question