static mac address is stuck on a port

Posted on 2014-03-10
Medium Priority
Last Modified: 2014-03-15
Hi all,

I have some Cisco 2975 as access switch running on the floors. Before implementing 802.1x, we were able to move PC from one office to another without doing anything else.

After we implemented 802.1x, the mac address of PC tended to get stuck on a port. The new port that the PC is connected to does not learn the mac address of the PC. This issue might not have anything to do with 802.1x, but this all started after we implemented 802.1x so I am blaming it.

I tried to remove the static mac address of the PC from the old port by using the no mac-address table static without any success.

I was running 12.2 (46) before. opened up an ticket with Cisco, they said it might be a bug with the version and suggested to upgrade the switch to 12.2 (55). After the upgrade, I enabled authentication mac-move. but it doesn't do anything and the issue persisted.

For now, the only solution is to switching the cable every time a PC is moving from one office to another.

Do you guys have the same issue and any solutions to it?

Question by:tmatty102
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 39918015

Please provide us the port configs, did you configured mac security ?
LVL 26

Expert Comment

ID: 39918033
Do you have port security turned on?


interface GigabitEthernet5/1
 description Gi5/1
 switchport access vlan 300
 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 2
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky xxxx.xxxx.xxxx
 switchport port-security mac-address sticky xxxx.xxxx.xxxx
 spanning-tree portfast
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 39918042
In this case you need in the ena mode:

clear port-security dynamic
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 39918047
port security is not configured on the port.

below is an example of the port configuration..

interface GigabitEthernet1/0/33
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 110
 no logging event link-status
 power inline consumption 7200
 authentication event fail action authorize vlan 99
 authentication event no-response action authorize vlan 99
 authentication host-mode multi-domain
 authentication port-control auto
 authentication violation protect
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-reauth-req 3
 spanning-tree portfast
LVL 26

Assisted Solution

pony10us earned 2000 total points
ID: 39918105
Refer to http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2975/software/release/12-2_52_se/command/reference/cr/cli1.html

Specifically for the following:

authentication port-control auto
authentication violation protect

This is basically port security under Dot1x

You may want to verify that someone didn't turn off the MAC move

authentication mac-move permit

Use the authentication mac-move permit global configuration command to enable MAC move on a switch. Use the no form of this command to return to the default setting.

authentication mac-move permit

no authentication mac-move permit

Syntax Description

This command has no arguments or keywords.


MAC move is enabled.

Author Comment

ID: 39918118
Hi pony10us,

Thank you for the info, I have those that you mentioned enabled on the switch already. This include authentication mac-move permit, authentication port-control auto, and authentication violation protect

Thanks though.
LVL 26

Expert Comment

ID: 39918164
I didn't include the rest but it appears to be related to the 802.1x as you mentioned originally:

"MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs. "

Accepted Solution

tmatty102 earned 0 total points
ID: 39918674
The problem seems to be related to the authenticated session and I have found the solution.

The solution is to use authentication violation replace  instead of protect

I think it's because I did not figure a timeout for a session or re-authenticate after a certain period, the session took place at first does not get expired and when a new device is plug into the interface, the port-control protect the interface by not allowing the new mac address to be learned.

With authentication violation replace,  the switch will accept the new mac address, go through the authentication process and replace the old mac address on the interface if the device get authenticate successfully.

Note: This option does not available prior to IOS version 12.2 (55)

Author Closing Comment

ID: 39931107
My comment was the final solution for question I asked.

Featured Post

WordPress Tutorial 4: Recommended Plugins

Now that you have WordPress installed, understand the interface, and know how to install new parts, let’s take a look at our recommended plugins.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question