Sticky MAC – Port Security, Dynamic Learning, and Violation Actions

1. What Is Sticky MAC?

Sticky MAC is a Cisco port security feature that gives a switch port the ability to dynamically learn the MAC addresses of connected devices and automatically write those addresses into the running configuration — effectively "sticking" them to that port. Once stuck, only the learned MAC addresses (up to the configured maximum) are permitted to communicate through that port. Any new, unrecognised MAC address triggers the configured violation action.

Sticky MAC occupies the middle ground between two extremes: fully dynamic MAC learning (convenient but no security — any device can connect) and fully static MAC assignment (maximum security but high administrative burden — every MAC must be entered manually). Sticky MAC lets the legitimate device connect once and be learned automatically, then locks the port to that device going forward.

  Normal dynamic MAC learning (no port security):
  Any device plugs in → switch learns MAC → no restriction → any device allowed

  Static port security:
  Admin manually enters each MAC → locked immediately → high admin overhead

  Sticky MAC (best of both):
  First device plugs in → switch learns MAC → writes to running config
  → port now locked to that MAC → subsequent unknown MACs are rejected

  Use case: deploy on access ports connecting PCs, printers, IP phones.
  Result:   devices that have connected at least once are automatically
            authorised; new/unknown devices are blocked.

2. Static vs Dynamic vs Sticky MAC — Comparison

Attribute	Dynamic	Static	Sticky
How MAC is learned	Automatically by the switch from incoming frames. See Frame Forwarding.	Manually entered by the administrator	Automatically by the switch, then written to running config
Where stored	MAC address table (RAM only) — not in running or startup config	Running config and startup config (always persistent)	Running config — survives reboot only if saved to startup config
Persistence after reload	No — lost on every reload	Yes — always	Only if `write memory` or `copy run start` is run
Aging	Yes — times out based on MAC aging timer (default 300s)	No — permanent until deleted	No — sticky MACs do not age out by default; optionally configurable
Port security capable	No — cannot enforce limits or trigger violations	Yes — part of port security	Yes — full port security integration (maximum, violation mode)
Admin effort	None — fully automatic	High — must enter every MAC	Low — devices learn themselves; admin just saves config afterward
Security level	None — any device can connect	Highest — only pre-approved MACs	High after learning period; moderate during initial learning (any device can connect until maximum is reached)
Running config appearance	Does not appear	`switchport port-security mac-address <MAC>`	`switchport port-security mac-address sticky <MAC>` (added automatically)

3. How Sticky MAC Learning Works — Step by Step

  Step 1: Admin enables port security with sticky on Fa0/10:
  Switch(config-if)# switchport port-security
  Switch(config-if)# switchport port-security mac-address sticky
  Switch(config-if)# switchport port-security maximum 2

  Step 2: PC (MAC: aabb.cc00.0100) sends its first frame into Fa0/10.
          Switch receives it, sees port security with sticky enabled.
          Switch learns the MAC and writes it to the running config:

  Running config now contains:
  interface FastEthernet0/10
   switchport port-security
   switchport port-security maximum 2
   switchport port-security mac-address sticky
   switchport port-security mac-address sticky aabb.cc00.0100   ← added automatically

  Step 3: IP phone (MAC: aabb.cc00.0200) also connects to Fa0/10.
          Switch learns it (maximum is 2, so this is allowed):

  Running config now also contains:
   switchport port-security mac-address sticky aabb.cc00.0200   ← second entry

  Step 4: A third device (unknown MAC: aabb.cc00.9999) is connected.
          Maximum = 2, both slots are occupied.
          Violation action triggers (default: shutdown).
          Port enters err-disabled state.

  Step 5: Admin saves config:
  Switch# write memory
  Sticky MACs survive reboot. The PC and phone connect again after
  reload and the port recognises them immediately — no re-learning needed.

Key insight: The sticky MAC entry in the running config looks identical to a manually entered static MAC entry — switchport port-security mac-address sticky <MAC>. The only difference is that it was written there automatically by the switch rather than by the administrator. See show running-config to inspect these entries.

See Port Security & Sticky MAC Lab for a full step-by-step hands-on configuration exercise.

4. Complete Port Security Configuration

Prerequisites

  Port security can ONLY be configured on access ports or voice ports.
  It CANNOT be configured on trunk ports or dynamic (DTP) ports.

  Before enabling port security, the port must be in access mode:
  Switch(config)# interface FastEthernet0/10
  Switch(config-if)# switchport mode access   ! required first

See Access & Trunk Ports for the full access port configuration reference, and Assigning VLANs to Switch Ports Lab to ensure the port is correctly configured before applying port security.

Full Annotated Configuration

  Switch(config)# interface FastEthernet0/10
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport port-security
  │
  └─ Enables port security on this interface.
     Without this command, none of the following commands will work.
     Default maximum = 1 MAC address, default violation = shutdown.

  Switch(config-if)# switchport port-security maximum 2
  │
  └─ Allow up to 2 MAC addresses on this port (e.g., PC + IP phone).
     Valid range: 1 to the switch's maximum (typically 132 or more).
     When the 3rd MAC is seen → violation action triggers.

  Switch(config-if)# switchport port-security mac-address sticky
  │
  └─ Enable sticky learning: MACs are learned dynamically and written
     to the running config automatically.
     Can be combined with pre-configured static sticky entries:
     switchport port-security mac-address sticky aabb.cc00.0100
     (pre-populates one slot; the second slot will be dynamically learned)

  Switch(config-if)# switchport port-security violation shutdown
  │
  └─ Violation action when an unknown/excess MAC is detected.
     Options: shutdown (default), restrict, protect — see Section 5.

  Switch(config-if)# description PC - John Smith + IP Phone
  Switch(config-if)# no shutdown

  ! Save sticky MACs to persist after reload:
  Switch# copy running-config startup-config
  (or: Switch# write memory)

Optional: Configure MAC Address Aging

  ! By default, sticky MACs do not age out. To enable aging:
  Switch(config-if)# switchport port-security aging time 60
  ! Removes learned sticky MACs after 60 minutes of inactivity.
  ! Useful when devices change regularly (lab environments, hot-desking).

  Switch(config-if)# switchport port-security aging type inactivity
  ! "inactivity" = aging timer resets each time the MAC sends a frame.
  ! "absolute" = entry removed after the timer regardless of activity.

5. Violation Modes — Protect, Restrict, Shutdown

When an unauthorised MAC address is received on a port-security protected port (either because the maximum has been reached or the MAC is not in the allowed list), the switch takes the configured violation action. There are three modes, and knowing the difference between all three is a CCNA exam requirement. See Port Security Violation Modes for the full reference.

Mode	Action on Violation	Violating Frames	Authorised Frames	Syslog / SNMP	Violation Counter	Port State
Protect	Silently drops frames from the violating MAC; no notification generated	Dropped silently	Continue forwarding	No	Not incremented	Remains up
Restrict	Drops frames from the violating MAC AND sends a syslog message and SNMP trap	Dropped	Continue forwarding	Yes — syslog + SNMP	Incremented	Remains up
Shutdown (default)	Immediately error-disables the entire port — ALL traffic stops, including authorised devices; requires manual recovery	All traffic stopped	Also stopped	Yes — syslog + SNMP	Incremented	Err-disabled

  Choosing the right violation mode:

  Protect  → Stealthy; great for testing but dangerous in production because
              you have NO visibility of violations. An attacker connects
              and frames are silently dropped — you would never know.
              Use case: rarely recommended; only in specific QoS scenarios.

  Restrict → Best balance for most deployments. Violating device is blocked
              but legitimate devices stay up. Syslog alert tells you a
              violation occurred. Use this for monitoring while maintaining
              uptime for other users on the port (e.g., IP phone + PC).

  Shutdown → Highest security response. The entire port goes err-disabled —
              both the attacker AND any legitimate devices on the port lose
              connectivity until an admin manually resets the port. Use when
              any unauthorized device connection is unacceptable (e.g., high
              security server room, ATMs, kiosks).

6. Err-Disabled State — Causes, Detection, and Recovery

When violation mode is shutdown and a violation occurs, the port enters err-disabled state. This is a protective mechanism — the port is operationally shut down by the switch's software and will not forward any traffic until it is manually recovered (or automatically if errdisable recovery is configured).

  Detecting an err-disabled port:

  Switch# show interfaces FastEthernet0/10 status
  Port      Name         Status       Vlan  Duplex  Speed
  Fa0/10    John PC      err-disabled 10    auto    auto

  Switch# show port-security interface FastEthernet0/10
  Port Security              : Enabled
  Port Status                : Secure-shutdown     ← confirms port security triggered it
  Violation Mode             : Shutdown
  Aging Time                 : 0 mins
  Aging Type                 : Absolute
  SecureStatic Address Aging : Disabled
  Maximum MAC Addresses      : 2
  Total MAC Addresses        : 2
  Configured MAC Addresses   : 0
  Sticky MAC Addresses       : 2
  Last Source Address:Vlan   : aabb.cc00.9999:10   ← the MAC that triggered the violation
  Security Violation Count   : 1

  Syslog generated at time of violation:
  %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
  MAC address aabb.cc00.9999 on port FastEthernet0/10.
  %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to down

  Manual recovery (after identifying and removing the offending device):
  Switch(config)# interface FastEthernet0/10
  Switch(config-if)# shutdown
  Switch(config-if)# no shutdown
  ! The shutdown/no shutdown cycle clears the err-disabled state.
  ! Do NOT just run "no shutdown" alone — the port must cycle through
  ! shutdown first or it will return to err-disabled immediately.

Check show logging to find the timestamped syslog message identifying the violating MAC, and show interfaces to confirm the err-disabled status before attempting recovery.

Automatic Err-Disable Recovery

  Configure automatic recovery so the port re-enables itself after a timer:
  Switch(config)# errdisable recovery cause psecure-violation
  Switch(config)# errdisable recovery interval 300   ! 300 seconds (5 minutes)

  ! After 300 seconds the port automatically attempts to come back up.
  ! If the offending device is still connected and the violation triggers
  ! again, the port will immediately go back to err-disabled.
  ! Automatic recovery is best for environments where brief isolation
  ! is acceptable (e.g., restrict mode would be better for visibility).

  Verify recovery settings:
  Switch# show errdisable recovery
  ErrDisable Reason       Timer Status    Timer Interval
  -----------------       ------------    --------------
  psecure-violation       Enabled         300

7. Verification Commands — show port-security Annotated

show port-security (Global Summary)

  Switch# show port-security

  Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
  -----------  -------------  -----------  -----------------  ---------------
  Fa0/10       2              2            1                  Shutdown
  Fa0/20       1              0            0                  Restrict

  Column meanings:
  Secure Port        → interface with port security enabled
  MaxSecureAddr      → maximum MAC addresses allowed (configured maximum)
  CurrentAddr        → number of MACs currently learned/configured
  SecurityViolation  → total number of violation events that have occurred
  Security Action    → configured violation mode (see Violation Modes)

show port-security interface (Per-Port Detail)

  Switch# show port-security interface FastEthernet0/10

  Port Security              : Enabled
  Port Status                : Secure-up             ← port is up and enforcing security
  Violation Mode             : Shutdown
  Aging Time                 : 0 mins                ← no aging configured
  Aging Type                 : Absolute
  SecureStatic Address Aging : Disabled
  Maximum MAC Addresses      : 2
  Total MAC Addresses        : 2                     ← both slots occupied
  Configured MAC Addresses   : 0                     ← none manually configured
  Sticky MAC Addresses       : 2                     ← both were dynamically learned
  Last Source Address:Vlan   : aabb.cc00.0200:10     ← most recent MAC that accessed port
  Security Violation Count   : 0                     ← no violations yet

  Port Status values:
  Secure-up          → port security active, port forwarding normally
  Secure-shutdown    → violation occurred, port in err-disabled state
  Secure-down        → port administratively shutdown (not port-security related)

show port-security address

  Switch# show port-security address

               Secure Mac Address Table
  ---------------------------------------------------------------
  Vlan  Mac Address       Type              Ports   Remaining Age
                                                     (mins)
  ----  -----------       ----              -----   -------------
  10    aabb.cc00.0100    SecureSticky      Fa0/10  -
  10    aabb.cc00.0200    SecureSticky      Fa0/10  -
  ---------------------------------------------------------------
  Total Addresses in System (excluding one mac per port)     : 1
  Max Addresses limit in System (excluding one mac per port) : 4096

  Type "SecureSticky" confirms these were dynamically learned and saved.
  "-" in Remaining Age = no aging configured (sticky MACs never time out
  by default).
  Compare: a manually configured entry shows "SecureConfigured" instead.
  Compare with: show mac address-table (see MAC Address Table) which shows
  all dynamically learned MACs across all ports.

Viewing Sticky Entries in the Running Config

  Switch# show running-config interface FastEthernet0/10
  Building configuration...

  interface FastEthernet0/10
   description PC - John Smith + IP Phone
   switchport mode access
   switchport access vlan 10
   switchport port-security maximum 2
   switchport port-security
   switchport port-security mac-address sticky
   switchport port-security mac-address sticky aabb.cc00.0100
   switchport port-security mac-address sticky aabb.cc00.0200

  The two "mac-address sticky aabb..." lines were added automatically
  by the switch when the devices connected. They are indistinguishable
  from manually typed static entries — this is intentional.

Use show running-config to view the full interface configuration including all sticky MAC entries. The VLAN assignment (switchport access vlan 10) can be verified with show vlan.

8. Removing and Clearing Sticky MAC Addresses

  ! Remove a single specific sticky MAC entry:
  Switch(config)# interface FastEthernet0/10
  Switch(config-if)# no switchport port-security mac-address sticky aabb.cc00.0100
  ! This removes only the one specified entry; the port remains enabled.

  ! Clear ALL sticky MACs from one interface:
  Switch# clear port-security sticky interface FastEthernet0/10
  ! Removes all sticky entries for Fa0/10 but leaves port security enabled.

  ! Disable sticky MAC learning entirely on an interface:
  Switch(config)# interface FastEthernet0/10
  Switch(config-if)# no switchport port-security mac-address sticky
  ! This converts all existing sticky entries to static entries (they remain
  ! in the config but are no longer updated dynamically).

  ! Disable port security entirely on an interface:
  Switch(config-if)# no switchport port-security
  ! Removes all port security configuration — maximum, sticky, violation mode.

  Workflow when replacing a device on a secure port:
  1. Identify the sticky MAC to remove: show port-security address
  2. Remove the old MAC: no switchport port-security mac-address sticky <old MAC>
  3. Allow the new device to connect — it will be learned automatically
  4. Save: write memory

9. Security Implications and Limitations

Sticky MAC provides meaningful protection against casual unauthorised access — plugging a personal laptop into an office network port will trigger a violation. However, it has important limitations that must be understood for the CCNA exam and for real-world deployments.

Threat	Does Sticky MAC Protect?	Explanation and Mitigation
Unknown device plugs in (maximum not yet reached)	No — during the learning period	Until all MAC slots are filled, any device can connect and its MAC will be learned and authorised. Close the learning window by pre-configuring static sticky entries or by immediately saving config once legitimate devices have connected
Unknown device plugs in (maximum already reached)	Yes	Once all slots are occupied, any new MAC triggers the violation action; the port protects known devices
MAC address spoofing	No	An attacker who knows an authorised MAC address can configure their NIC to use that MAC — the switch sees the "correct" MAC and allows the connection. Sticky MAC only validates the MAC address, not the physical device. Mitigation: combine with 802.1X authentication (see AAA Authentication Methods) which validates device credentials, not just MAC addresses
Attacker connects before legitimate device	No	If an attacker connects before the authorised device (e.g., on an unused port), their MAC is learned and authorised. This is why sticky MAC should be deployed only on ports where legitimate devices are already known, and the configuration should be saved immediately
Hubs or unmanaged switches connected to a port	Partially	A hub passes multiple device MACs through one switch port — each device's MAC counts against the maximum. If maximum is 1 and a hub with 2 PCs is connected, the second PC triggers a violation even though both are "legitimate"

Layered security recommendation: Sticky MAC alone is not sufficient for high-security environments. It should be combined with: BPDU Guard on access ports (prevents rogue switch connections), ACLs (controls what traffic is permitted), firewall rules, and where the environment supports it, 802.1X port-based authentication (see AAA Authentication Methods). Physical security (locked wiring closets, secured wall plates) is also essential — sticky MAC cannot protect against physical access to a cable.

10. Step-by-Step Troubleshooting Scenarios

Scenario A — Port Goes Err-Disabled Unexpectedly

  Complaint: PC cannot access the network on Fa0/10.

  Step 1: show interfaces FastEthernet0/10 status
  Status = err-disabled → port security violation or another err-disable cause

  Step 2: show port-security interface FastEthernet0/10
  Port Status: Secure-shutdown        ← port security triggered
  Last Source Address: aabb.cc00.9999 ← the MAC that caused the violation
  Security Violation Count: 1

  Step 3: Identify the offending device
  → Was a new device connected? Was an IP phone moved here? Was a hub added?
  → Check if aabb.cc00.9999 belongs to an authorised device (MAC lookup)

  Step 4: Remove the offending device if unauthorised

  Step 5: Reset the port
  Switch(config)# interface FastEthernet0/10
  Switch(config-if)# shutdown
  Switch(config-if)# no shutdown

  Step 6: Verify recovery
  Switch# show port-security interface FastEthernet0/10
  Port Status: Secure-up ✓

  If the port goes err-disabled again immediately → the offending device
  is still connected. Remove it before resetting.

Also check show logging for the timestamped violation syslog message and show interfaces to confirm the err-disabled status.

Scenario B — Sticky MACs Lost After Reboot

  After a switch reboot, devices that previously connected successfully
  now trigger violations on their ports.

  Diagnosis: show startup-config | include sticky
  → If no sticky MAC entries appear, they were never saved.
  → Running config had the entries but startup config did not.

  Root cause: admin forgot to run "write memory" after the MACs were learned.

  Fix: Allow devices to reconnect (switch will re-learn MACs into running config)
  → Verify: show port-security address  (entries should reappear)
  → Save immediately: Switch# write memory

  Prevention: after initial deployment, always run write memory once all
  expected devices have connected and show port-security address confirms
  all entries are present.

Use show running-config to confirm the sticky entries are present before saving, and show vlan to verify the VLAN assignment is also correct.

Scenario C — Cannot Add a New Legitimate Device

  IT department needs to add a new PC to a port that already has 2 sticky MACs.

  Approach 1: Increase the maximum
  Switch(config)# interface FastEthernet0/10
  Switch(config-if)# switchport port-security maximum 3
  The new PC can now connect; its MAC will be learned as the third entry.

  Approach 2: Remove the old device's sticky MAC entry
  Identify old MAC: show port-security address
  Remove it: Switch(config-if)# no switchport port-security mac-address sticky <old MAC>
  The freed slot allows the new device to be learned.

  Approach 3: Clear all sticky MACs and re-learn
  Switch# clear port-security sticky interface FastEthernet0/10
  All devices re-connect and are re-learned in fresh slots.
  Remember to save: write memory

Scenario D — Port Security Not Working (All Devices Allowed)

  Complaint: port security seems to have no effect — unknown devices connect freely.

  Step 1: show port-security interface FastEthernet0/10
  Port Security: Disabled  ← port security is not enabled at all!
  Fix: switchport port-security (must be explicitly enabled)

  Step 2 (if enabled): check the violation mode
  Violation Mode: Protect  ← violations are being silently dropped
  The port IS blocking the unknown device but generating no alert.
  Consider changing to Restrict or Shutdown for visibility.

  Step 3: check if the port is in trunk mode
  show interfaces FastEthernet0/10 switchport
  Administrative Mode: trunk  ← port security cannot run on trunk ports!
  Fix: switchport mode access first, then re-apply port security.
  See Access & Trunk Ports for the correct access port configuration.

  Step 4: check if maximum is set very high
  Maximum MAC Addresses: 100  ← too permissive; many devices can connect
  Reduce: switchport port-security maximum 2

11. Exam Tips & Key Points

Sticky MAC = dynamically learns MAC addresses AND writes them to the running configuration automatically. This is what distinguishes it from both purely dynamic (not saved) and purely static (manually entered) entries.
Sticky MACs survive a reload only if write memory or copy running-config startup-config is run. Without saving, all sticky entries are lost on reboot. Verify with show running-config.
Port security is only valid on access ports. The port must be in access mode (switchport mode access) before port security can be enabled.
Know all three violation modes: Protect (silently drops, no log, counter not incremented), Restrict (drops + syslog/SNMP, counter incremented, port stays up), Shutdown (err-disables port + syslog/SNMP — default). Protect is least visible; Shutdown is most disruptive.
The default violation mode is Shutdown and the default maximum is 1 — if no maximum is configured, even a second device triggers a shutdown.
Recovering an err-disabled port requires a shutdown then no shutdown cycle on the interface — running no shutdown alone when already err-disabled does not work on all platforms. Check show interfaces status before recovery.
Sticky MACs do not age out by default — once learned, they stay permanently unless cleared manually or the port security config is removed.
Sticky MAC does not protect against MAC spoofing — an attacker who knows an authorised MAC can use it to bypass port security. 802.1X (see AAA Authentication Methods) is required for credential-based port authentication.
Key commands: show port-security (summary), show port-security interface <int> (per-port detail including violation count and last violating MAC), show port-security address (all learned secure MACs). Also see show mac address-table for the full dynamic MAC table.
A port showing Secure-shutdown in show port-security interface output was taken down by port security — not by an admin shutdown command. The syslog message will appear in show logging.

12. Summary Reference Table

Topic	Key Detail
Enable port security	`switchport port-security` (access mode required first)
Enable sticky learning	`switchport port-security mac-address sticky`
Set maximum MACs	`switchport port-security maximum <n>` (default: 1)
Default violation mode	Shutdown (err-disables port). See Violation Modes.
Violation modes	Protect (silent drop), Restrict (drop + syslog), Shutdown (err-disable)
Sticky MAC storage	Running config — survives reboot only after `write memory`. Verify with `show running-config`.
Sticky MAC aging	None by default — entries persist until cleared
Recover err-disabled port	`shutdown` then `no shutdown` on the interface. Check `show interfaces` to confirm.
Auto-recovery	`errdisable recovery cause psecure-violation` + `errdisable recovery interval <s>`
Clear sticky MACs	`clear port-security sticky interface <int>`
Verify per-port detail	`show port-security interface <int>`
Verify learned MACs	`show port-security address`. See also `show mac address-table`.
MAC spoofing protection	No — combine with 802.1X (see AAA Authentication Methods) for credential-based auth
Hands-on lab	Port Security & Sticky MAC Lab

Sticky MAC Quiz

1. What is the primary purpose of enabling Sticky MAC on a switch port, and how does it differ from simply enabling dynamic MAC learning?

A. To increase switch forwarding performance by caching MAC addresses in TCAM — dynamic learning also caches MACs but uses a slower table lookup B. To allow all devices to connect without restriction — sticky MAC removes the need for access control lists on the port C. To statically assign a MAC address manually to a port — the "sticky" keyword is shorthand for the static MAC configuration command D. To automatically learn the MAC addresses of connected devices and write them to the running configuration, locking the port to those specific devices — dynamic MAC learning only stores MACs in the MAC table (RAM) with no security enforcement or persistence

Correct answer is D. Port security with sticky MAC combines the convenience of automatic MAC learning with the security enforcement of static MAC addresses. The critical distinction from dynamic learning is that sticky MACs are written to the running configuration and treated as authorised addresses — subsequent devices that don't match are blocked and trigger the configured violation action. Dynamic MAC learning imposes no restrictions at all.

2. A switch is configured with sticky MAC, maximum 1, violation shutdown. After the legitimate PC connects, what happens to its MAC address and what happens if a second device is plugged into the same port?

A. The PC's MAC is stored in the MAC address table temporarily; the second device connects successfully and the PC's entry is overwritten B. The PC's MAC is written to the running config as a sticky entry; when the second device sends a frame, the maximum of 1 is exceeded, the port enters err-disabled state, and all traffic (including the PC's) stops until an admin manually resets the port C. The PC's MAC is recorded in NVRAM permanently; the second device triggers a restrict violation which silently drops its frames but the PC continues normally D. The PC's MAC is shared with other switches via VTP; the second device triggers a VLAN reassignment to isolate it in VLAN 999

Correct answer is B. When the first PC connects, its MAC is dynamically learned and written to the running configuration as a sticky entry (switchport port-security mac-address sticky aabb.cc.xxxx). The port is now "full" (maximum 1). When a second device sends a frame, the switch sees a new unknown MAC, the maximum is already at 1, the violation mode is shutdown, so the port immediately enters err-disabled state — both the PC and the new device lose connectivity. Recovery: remove the intruding device, then cycle the interface with shutdown/no shutdown. See Port Security & Sticky MAC Lab.

3. What is the critical operational difference between violation mode "restrict" and violation mode "protect"?

A. Restrict disables the port; protect keeps it up — both generate syslog messages B. Protect only drops frames from unknown MACs; restrict drops frames from ALL MACs including authorised ones C. Both drop frames from the violating MAC and keep the port up, but restrict generates a syslog message, an SNMP trap, and increments the violation counter — protect does none of these, making violations completely invisible D. Restrict mode requires a management VLAN to function; protect mode works on any port regardless of VLAN configuration

Correct answer is C. Both restrict and protect keep the port up and drop frames from violating MACs — authorised devices continue communicating normally. The critical operational difference is visibility: restrict generates a syslog alert, sends an SNMP trap to the NMS, and increments the SecurityViolation counter in show port-security. Protect is completely silent — no logging, no SNMP, no counter increment. In production, protect means you would have no idea unauthorised devices are being blocked, which is why restrict is almost always the better choice when you want the port to stay up. See Port Security Violation Modes for the full comparison.

4. After configuring sticky MAC on Fa0/10 and allowing the PC to connect, the engineer reloads the switch. The PC now triggers a port security violation. What was missed and how is it prevented?

A. The running configuration was never saved — sticky MAC entries exist in RAM (running config) but not in NVRAM (startup config); on reload, the switch loses all sticky MACs; prevention: always run "write memory" after the learning period is complete B. The port was not assigned to the correct VLAN — after a reload, VLANs reset to default which causes MAC mismatch violations C. Port security does not survive reloads at all — it must be fully reconfigured after every reload D. The MAC aging timer expired during the reload process, causing the sticky entry to be deleted before the PC reconnected

Correct answer is A. This is the most common sticky MAC operational mistake. Sticky entries are written to the running configuration (RAM) automatically, but running config is volatile — it is lost on every reload. The port security configuration itself (the commands without the MAC addresses) survives in startup config if it was configured before the reload. Only the learned MAC addresses are lost. Prevention: after all expected devices have connected, verify with show port-security address that all entries are present, then immediately run write memory to persist them to startup config (NVRAM).

5. An engineer configures sticky MAC on a port that is currently in trunk mode. What happens?

A. Port security works normally — trunk ports can use sticky MAC for enhanced security on inter-switch links B. The trunk encapsulation is removed and the port reverts to access mode automatically when port security is configured C. Port security runs on trunk ports but only enforces the native VLAN; tagged frames from other VLANs are not checked D. The configuration command is rejected with an error — port security cannot be configured on trunk ports; the port must first be changed to access mode with "switchport mode access"

Correct answer is D. Port security is strictly an access port feature. It cannot be enabled on trunk ports, EtherChannel ports, or dynamically negotiated (DTP) ports. Attempting to configure it on a trunk port produces an error message and the command is rejected. The correct sequence is: (1) switchport mode access — change to access mode; (2) switchport access vlan <n> — assign VLAN; (3) then apply port security. See Assigning VLANs to Switch Ports Lab.

6. What does "SecureSticky" in the Type column of "show port-security address" output indicate, and how does it differ from "SecureConfigured"?

A. SecureSticky means the MAC was manually typed by the admin using "mac-address sticky" syntax; SecureConfigured means the MAC was learned automatically by the switch B. SecureSticky means the MAC is only valid on one specific VLAN; SecureConfigured means the MAC is valid across all VLANs on the switch C. SecureSticky means the MAC was dynamically learned by the switch and written to the running config with "mac-address sticky"; SecureConfigured means the MAC was manually entered by an admin with "mac-address <MAC>" (static) D. SecureSticky means the MAC will survive a reload without saving; SecureConfigured means the MAC requires "write memory" to persist

Correct answer is C. In show port-security address output, SecureSticky entries were dynamically learned by the switch and automatically added to the running config with switchport port-security mac-address sticky <MAC>. SecureConfigured entries were manually typed by the administrator using switchport port-security mac-address <MAC> (the same syntax but without the "sticky" keyword). Both types look identical in the running config and are treated the same for enforcement purposes — the difference is only in how they were created.

7. Why does Sticky MAC NOT protect against MAC address spoofing attacks?

A. Because sticky MAC uses ARP instead of MAC addresses for device identification — ARP can be spoofed by changing IP addresses B. Because sticky MAC only checks the source MAC address in the Ethernet frame header — an attacker who discovers or spoofs an authorised MAC address will be indistinguishable from the legitimate device; the switch has no way to verify the physical device identity C. Because MAC addresses are not unique globally — two legitimate devices may have the same MAC, causing constant violations that make sticky MAC unusable D. Because sticky MAC uses UDP for communication and UDP is inherently spoofable; switching to TCP mode resolves this limitation

Correct answer is B. MAC addresses are Layer 2 identifiers embedded in Ethernet frame headers. An attacker who discovers (or sniffs) an authorised MAC address can trivially change their NIC's MAC to match using simple OS commands. The switch inspects only the source MAC in the frame — it has no way to distinguish between the real device and a device that has cloned its MAC. This is the fundamental limitation of all MAC-based security. The solution is 802.1X port-based authentication (see AAA Authentication Methods), which validates cryptographic credentials through an authentication server — credentials that cannot be cloned by simply reading a MAC address.

8. A port shows "Secure-shutdown" in show port-security interface output. What does this mean, and what is the exact recovery procedure?

A. The port was error-disabled by a port security violation (not by an admin shutdown command); recovery: first remove the offending device, then enter the interface and run "shutdown" followed by "no shutdown" — this cycles the port out of err-disabled; if only "no shutdown" is run while the violating device is still present, the port will immediately return to err-disabled B. An administrator manually shut down the port; recovery: simply run "no shutdown" which re-enables it immediately C. The port's STP state is blocking; recovery: disable spanning tree on the port with "no spanning-tree" to clear the secure-shutdown state D. Port security is disabled on the port; recovery: re-enable with "switchport port-security" and the port will automatically return to active state

Correct answer is A. Secure-shutdown specifically means the port was taken down by a port security violation — distinguish this from Secure-down (port administratively shut by an admin) and Secure-up (port healthy). The recovery procedure requires removing the offending device first — if you try to recover while the violating device is still plugged in, the port comes up briefly and then immediately triggers another violation and returns to err-disabled. The full procedure: (1) identify the violating MAC from "Last Source Address" in the output; (2) disconnect the device; (3) shutdown the interface; (4) no shutdown the interface; (5) verify show interfaces and show port-security interface show Secure-up. Check show logging for the original violation timestamp.

9. After the learning period for sticky MAC is complete and both MAC slots are filled, what must the engineer do to ensure the learned entries survive a switch reload?

A. Remove all learned addresses to reset the count — this triggers a synchronisation that copies the current state to startup config B. Increase the MAC address maximum to ensure there is always room for more devices to connect in future C. Change the port to trunk mode — this locks the learned MACs into the VLAN database which persists independently D. Save the running configuration with "write memory" — show port-security interface should then show "Sticky MAC Addresses: 2" (or your configured maximum) confirming both slots are occupied; after saving, show startup-config should also contain the sticky MAC entries

Correct answer is D. The deployment workflow for sticky MAC is: (1) configure port security with sticky and the appropriate maximum and violation mode; (2) allow all legitimate devices to connect — the switch learns their MACs automatically; (3) verify all expected devices have been learned: show port-security interface <int> should show "Sticky MAC Addresses: <n>" matching your maximum, and "Total MAC Addresses: <n>" at maximum capacity; (4) immediately run write memory — this is the critical step; (5) confirm persistence: show startup-config | include sticky should show the learned MAC entries. After this workflow, a reload will restore all sticky entries from startup config and the port will immediately recognise and accept the known devices without requiring a new learning period.

10. A port is configured for sticky MAC, maximum 2, violation shutdown. Both MAC slots are filled. A third device connects. The port goes err-disabled. What is the exact recovery procedure and what precaution must be taken before recovery?

A. Run "no shutdown" on the port — this alone is sufficient to clear the err-disabled state and restore the port to normal operation B. First physically remove or disconnect the offending (third) device, then cycle the port: "shutdown" followed by "no shutdown" — if the offending device is still connected when the port is re-enabled, it will immediately trigger another violation and the port will return to err-disabled C. The oldest sticky MAC is automatically deleted and the port re-enables itself — no manual intervention is needed D. The switch disables port security on all ports on the switch and requires a full reconfiguration before the network is usable again

Correct answer is B. Port security recovery is a two-step process and the order matters. The most common mistake is running no shutdown while the offending device is still connected — the port briefly comes up, the switch sees the unknown MAC again, and the port immediately returns to err-disabled. This creates an apparent loop where the port "won't stay up." The correct procedure: (1) Identify the violating MAC using show port-security interface <int> — the "Last Source Address" field shows the MAC that triggered the violation; (2) Physically disconnect or identify the offending device; (3) On the switch: enter the interface and run shutdown then no shutdown — this cycle clears the err-disabled state; (4) Verify recovery: show port-security interface <int> should now show "Port Status: Secure-up". Check show interfaces to confirm the interface is fully up; (5) If the device was legitimate but exceeded the limit, either increase the maximum or clear an old sticky entry to make room for it.

← Back to Home