Users Guide
When you configure MAC address learning limit, ensure that the number of static MAC addresses present on the system is not
greater than the MAC address learning limit that you configure. If the number of dynamically-learned MAC addresses is greater
than your MAC address limit, the system flushes all dynamically-learned MAC addresses.
You can configure an interface to learn a maximum of 3072 MAC addresses. You can also disable the MAC address learning limit
feature so that the interface can learn the maximum number MAC addresses that the system supports. Disabling the MAC
address learning limit feature does not remove the previously learned or configured secure MAC addresses.
MAC address movement
A MAC address movement happens when the system detects the same MAC address on an interface which it has already
learned through another port security-enabled interface on the same broadcast domain. MAC address movement is not allowed
for secure static and sticky MAC addresses. By default, MAC address movement for dynamically-learned MAC address is
disabled on the system.
Secure dynamic MAC address movement is allowed between port-security-enabled and port-security-disabled interfaces.
Sticky MAC addresses
When you reload the system, port security removes the dynamically learned secure MAC addresses. You can use the sticky
feature to make the dynamically learned secure MAC addresses persist even after a system reboot so that the interface does
not have to learn these MAC addresses again. Use the copy running-configuration startup-configuration
command to save the sticky secure MAC addresses.
When you enable sticky MAC address learning on an interface, all existing dynamically-learned MAC addresses and MAC
addresses that are learned in the future are converted to sticky MAC addresses.
To enable sticky MAC address learning on an interface, ensure that the mac learn no-limit command is not configured.
Port security violations
There are two types of port security violations.
● Mac address learning limit violation
● Mac address move violation
Mac address learning limit violation
After the number of secure MAC address reaches the maximum configured, if an interface receives a frame with the source
MAC address different from any of the learned MAC addresses, the system considers this as a MAC address learning limit
violation.
You can configure MAC address learning limit violation actions.
● log — The system drops the packet and displays a log message with the VLAN, interface, and the source MAC address
that caused the violation.
● drop — The system drops the packet and does not display a log message.
● forward — The system forwards the packet without learning the source MAC address or displaying a log message.
● shutdown — The system shuts down the port.
Mac address move violation
If the system detects the same MAC address in a port-security-enabled interface which it has already learned through another
port-security-enabled interface, by default, the system considers this as a MAC address move violation. You can configure MAC
address move violation actions. You can also configure the system to permit MAC address movement across port security-
enabled interfaces.
You can configure MAC address move violation actions.
● log — The system drops the packet and displays a log message with the VLAN, interface, and the source MAC address
that caused the violation.
● drop — The system drops the packet and does not display a log message.
● shutdown-both — The system shuts down both the original and offending interfaces.
● shutdown-offending — The system shuts down the offending interface.
● shutdown-original — The system shuts down the interface that originally learned the MAC address that moved.
MAC address aging
By default, dynamically-learned secure MAC addresses do not age out. You can enable aging for secure MAC addresses so that
the dynamically-learned MAC addresses are deleted from the MAC address table after the configured aging period.
Enable port security on the system
To enable port security on the system globally:
Security
1411