static mac address is stuck on a port

Posted on 2014-03-10
Last Modified: 2014-03-15
Hi all,

I have some Cisco 2975 as access switch running on the floors. Before implementing 802.1x, we were able to move PC from one office to another without doing anything else.

After we implemented 802.1x, the mac address of PC tended to get stuck on a port. The new port that the PC is connected to does not learn the mac address of the PC. This issue might not have anything to do with 802.1x, but this all started after we implemented 802.1x so I am blaming it.

I tried to remove the static mac address of the PC from the old port by using the no mac-address table static without any success.

I was running 12.2 (46) before. opened up an ticket with Cisco, they said it might be a bug with the version and suggested to upgrade the switch to 12.2 (55). After the upgrade, I enabled authentication mac-move. but it doesn't do anything and the issue persisted.

For now, the only solution is to switching the cable every time a PC is moving from one office to another.

Do you guys have the same issue and any solutions to it?

Question by:tmatty102
  • 4
  • 3
  • 2
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 39918015

Please provide us the port configs, did you configured mac security ?
LVL 26

Expert Comment

ID: 39918033
Do you have port security turned on?


interface GigabitEthernet5/1
 description Gi5/1
 switchport access vlan 300
 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 2
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky xxxx.xxxx.xxxx
 switchport port-security mac-address sticky xxxx.xxxx.xxxx
 spanning-tree portfast
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 39918042
In this case you need in the ena mode:

clear port-security dynamic

Author Comment

ID: 39918047
port security is not configured on the port.

below is an example of the port configuration..

interface GigabitEthernet1/0/33
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 110
 no logging event link-status
 power inline consumption 7200
 authentication event fail action authorize vlan 99
 authentication event no-response action authorize vlan 99
 authentication host-mode multi-domain
 authentication port-control auto
 authentication violation protect
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-reauth-req 3
 spanning-tree portfast
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 26

Assisted Solution

pony10us earned 500 total points
ID: 39918105
Refer to

Specifically for the following:

authentication port-control auto
authentication violation protect

This is basically port security under Dot1x

You may want to verify that someone didn't turn off the MAC move

authentication mac-move permit

Use the authentication mac-move permit global configuration command to enable MAC move on a switch. Use the no form of this command to return to the default setting.

authentication mac-move permit

no authentication mac-move permit

Syntax Description

This command has no arguments or keywords.


MAC move is enabled.

Author Comment

ID: 39918118
Hi pony10us,

Thank you for the info, I have those that you mentioned enabled on the switch already. This include authentication mac-move permit, authentication port-control auto, and authentication violation protect

Thanks though.
LVL 26

Expert Comment

ID: 39918164
I didn't include the rest but it appears to be related to the 802.1x as you mentioned originally:

"MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs. "

Accepted Solution

tmatty102 earned 0 total points
ID: 39918674
The problem seems to be related to the authenticated session and I have found the solution.

The solution is to use authentication violation replace  instead of protect

I think it's because I did not figure a timeout for a session or re-authenticate after a certain period, the session took place at first does not get expired and when a new device is plug into the interface, the port-control protect the interface by not allowing the new mac address to be learned.

With authentication violation replace,  the switch will accept the new mac address, go through the authentication process and replace the old mac address on the interface if the device get authenticate successfully.

Note: This option does not available prior to IOS version 12.2 (55)

Author Closing Comment

ID: 39931107
My comment was the final solution for question I asked.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
sync conflicts 1 55
No RSTP between switches 3 45
Recommendations for router that supports BGP over ipsec 1 54
Vlan to Vlan communication 9 71
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now