When a user wants to migrate from GigabitEthernet6/3 to GigabitEthernet7/5 I am getting "security violation error" on the port GigabitEthernet7/5. But when a user wants to migrate from a port to another I am facing a "security violation" problem. MAC security is applied to all of the ports on the switches. Let me tell you which problem I am facing with: Two of our customers are using the same brand switches which are Cisco 4500 Series. RE: C3560 MAC Address Aging Timer Inop selcuks2001 (IS/IT-Management) 15 Aug 08 02:47 Ht tp://n/US/docs/ switches/l an/catalys t6500/ios/ 12.2SX/con figuration /guide/por t_sec.html. This is a pretty decent write-up on the port-security command: If you want the mac-address to remain associated with the switchport across reloads and port state changes, when using the dynamic mode, you use the "switchport port-security mac-address sticky" and then save your config after the mac-addresses are learned and "stuck" to an interface. Of course you can also hard-code one or more mac-addresses to an interface if you don't want the switch to dynamically learn mac-addresses. If the port is shutdown or the switch reloads the mac-address-to-switchport association is cleared from the tables. The key is that mac-addresses are learned dynamically as traffic enters the switchport from the connected device. I couldn't find clear information on the "switchport port-security" command on the Cisco website other than that the default is to lock-in a single mac-address in the mac-address tables unless you configure the "switchport port-security max" command which will allow the switch to learn and lock-in multiple macs. So it's not so much a problem as it's what the command is designed to do. What I finally figured out is that the default behavior of the "switchport port-security" command IS to lock-in a mac-address-to-switchport association in the mac-address table. Wow, that issue was quite awhile ago, let me see if I can remember what I found out.Īs brianinms pointed out to me, it is the default nature of the command. Not come across any pertinent documentation.Īny insight would be greatly appreciated. I've searched the Cisco website for bug reports but have
So far the only way to remove the mac address from the interface is to shut/no shut the interface. Quite baffling, I can't even get the mac address to clear from the interface with the clear mac-address interface command. Other than that it's a fairly typical config, ip routing is turned on for inter-vlan connectivity, it's defaulted to spanning-tree mode pvst, and I've set this particular switch as the root for the VTP Domain, spanning-tree vlan 1-1024 priority 24576. Switchport port-security violation protect The mac-address aging timer is at the default of 300 seconds. The mac address associated with an interface fails to age out after the computer is disconnected from the interface. Has anyone had this problem on their C3560 switch: