Cisco 3750E sticky mac not working

We have a number of 3750G switches and I am trying to apply port security using sticky mac. When I do so the port loses one or more of the mac addresses found on the port and stops the pc or phone or both on that port from working. For example. Below are the mac addresses found on the port before applying port security. vlan 1108 is our access vlan and 2108 is our voice vlan. So there is an IP phone attached to the port and the pc is attached to the phone.

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
1108    001e.4fe3.5322    DYNAMIC     Gi1/0/6
1108    001e.f7c4.ce40    DYNAMIC     Gi1/0/6
2108    001e.f7c4.ce40    DYNAMIC     Gi1/0/6

I then apply the following
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky

When I then look at the mac addresses on the port I see this.

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
1108    001e.4fe3.5322    STATIC      Gi1/0/6

and the phone has unregistered..
In some cases no mac addresses appear on the port and I lose both phone and pc.

weirdly though this only happens on some ports and other ports work ok. I cannot see any pattern. I did read that there was a bug in a previous IOS that stopped this from working on stacks of 3750's but this is a single switch and I have upgraded to the latest IOS. Still no joy.

Any help would be appreciated.

Thanks.
LVL 1
Colchester_InstituteAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
Did you check port assigned to vlans?
#sh vlan
#sh interfaces trunk
Steven CarnahanNetwork ManagerCommented:
Yes you need to check the VLAN.

so if you have your default vlan as 3 and your voice as 100 you should also have the following on the port:

 switchport access vlan 3
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 100

Open in new window


Example of sh vlan command to match above:

3    Data-Accounting                  active    Fa1/1, Fa1/2, Fa1/3, Fa1/5
                                                Fa1/7, Fa1/9, Fa1/10, Fa1/11
80   Test-Domain                      active    Fa1/47, Fa1/48
99   Management-VLAN                  active    Fa1/4, Gi5/46
100  VLAN100-VoIP                     active    Fa1/1, Fa1/2, Fa1/3, Fa1/5
                                                Fa1/7, Fa1/8, Fa1/9, Fa1/10
                                                Fa1/11, Fa1/12, Fa1/13, Fa1/14

Open in new window


Then you would set port Fa1/1 as:

interface FastEthernet1/1
 description Fa1/1
 switchport access vlan 3
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 100
 switchport port-security maximum 2
 switchport port-security maximum 2 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security
 switchport port-security mac-address sticky

Open in new window

Colchester_InstituteAuthor Commented:
I have check vlans and they are assigned to the port
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/26, Gi1/0/27, Gi1/0/28
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
1108 VLAN1108                         active    Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/20 Gi1/0/21, Gi1/0/22, Gi1/0/23
1109 VLAN1109                         active
1828 VLAN1828                         active
2108 VLAN2108                         active    Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/20 Gi1/0/21, Gi1/0/22, Gi1/0/23
2109 VLAN2109                         active

the mac addresses showqn on the port before applying config is :
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
1108    001e.4fe3.5322    DYNAMIC     Gi1/0/6
1108    001e.f7c4.ce40    DYNAMIC     Gi1/0/6
2108    001e.f7c4.ce40    DYNAMIC     Gi1/0/6
Total Mac Addresses for this criterion: 3


The port is then configured as follows:
interface GigabitEthernet1/0/6
 description *** Q5A - PC/PHONE ***
 switchport access vlan 1108
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 2108
 switchport port-security maximum 2
 switchport port-security maximum 1 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security violation protect
 switchport port-security mac-address sticky

The running config of the port then becomes:
interface GigabitEthernet1/0/6
 description *** Q5A - PC/PHONE ***
 switchport access vlan 1108
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 2108
 switchport port-security maximum 2
 switchport port-security maximum 1 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security violation protect
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 001e.f7c4.ce40 vlan voice

 and the mac addresses shown on the port becomes
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
2108    001e.f7c4.ce40    STATIC      Gi1/0/6
Total Mac Addresses for this criterion: 1

and the PC on vlan 1108 which is connected to the phone loses network connectivity.
Once port-security is turned off it reverts back to normal.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

JustInCaseCommented:
How are configured vlan interfaces for vlans 1108 & 2108?

What is message that switch show when you attach second device?
If you are not attached to console port you can see message if you issue
#terminal monitor
before attaching second device to switch.

You can debug port security  with
# debug port-security
Steven CarnahanNetwork ManagerCommented:
Do a "sh int gi1/0/6" (without the quotes) and see if it is "err-disabled" when everything is plugged in.

If the port isn't shutting down (going into err-disabled) state then it is never seeing the PC connected.

Can you do a "sh log | include 1/0/6" (without the quotes) to see if you are getting any errors on that interface?
Colchester_InstituteAuthor Commented:
Thanks both. I will give these a go and get back with any updates.
Colchester_InstituteAuthor Commented:
thanks for help :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.