SecurityCCNA 200-301

Sticky MAC Address Table Full — New Devices Blocked

Presenting Symptom

New devices cannot connect to the network; existing devices work fine, but switch logs show 'Security violation occurred' messages.

Network Context

A small branch office with a single Cisco Catalyst 2960 switch (IOS 15.2) connecting 10 workstations and 2 printers. Port security with sticky MAC learning is enabled on access ports. The switch has been running for months without issues until recently when new laptops were added.

Diagnostic Steps

Check interface status and security violations

show interfaces status | include err-disabled

Port      Name               Status       Vlan    Duplex  Speed Type
Gi0/1     Laptop-New         err-disabled 10      auto    auto  10/100/1000BaseTX

If any ports are in err-disabled state, it indicates a security violation. This confirms the symptom.

View port security configuration and violations on the problematic interface

show port-security interface gigabitEthernet 0/1

Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 2
Last Source Address:Vlan   : 0011.2233.4455:10
Security Violation Count   : 1

The output shows the maximum MAC addresses is 2, and sticky MAC addresses are already at the limit. The security violation count is 1, meaning a new MAC was blocked.

Check the sticky MAC address table to see which MACs are learned

show port-security address

Secure Mac Addresses
-------------------------------
   Vlan    Mac Address       Type        Ports   Remaining Age (mins)
-------    -----------       ----        -----   --------------------
   10       0011.2233.4455   SecureSticky   Gi0/1        -
   10       0011.2233.4466   SecureSticky   Gi0/1        -

The table shows two sticky MAC addresses on Gi0/1, which matches the maximum. Any new device with a different MAC will be blocked.

Check the switch log for security violation messages

show logging | include %PORT_SECURITY

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aabb.ccdd.eeff on port GigabitEthernet0/1.

The log confirms a security violation due to a new MAC address (aabb.ccdd.eeff) attempting to access the port.

Root Cause

The port security configuration on GigabitEthernet0/1 has a maximum MAC address limit of 2, and sticky MAC learning has already populated the table with two MAC addresses. When a new device with a different MAC address tries to connect, it triggers a security violation, causing the port to go into err-disabled state (shutdown mode).

Resolution

Increase the maximum MAC addresses allowed on the port to accommodate the new device, or clear the existing sticky MAC addresses and re-learn them. 1. Re-enable the port after err-disable: interface gigabitEthernet 0/1 shutdown no shutdown 2. Increase the maximum MAC addresses (e.g., to 3): interface gigabitEthernet 0/1 switchport port-security maximum 3 3. Alternatively, clear the sticky MAC addresses to allow re-learning: clear port-security sticky interface gigabitEthernet 0/1 Then reconnect all devices to re-learn MACs.

Verification

Verify the port is up and no violations: show interfaces status | include Gi0/1 Expected output: Gi0/1 connected 1 a-full a-1000 10/100/1000BaseTX show port-security interface gigabitEthernet 0/1 Expected output: Port Status: Secure-up, Security Violation Count: 0 show port-security address Expected output: The new MAC address should appear in the sticky table.

Prevention

1. Set an appropriate maximum MAC address limit based on the number of expected devices per port (e.g., for a single workstation, set maximum to 1). 2. Use sticky MAC aging to automatically remove unused MAC addresses after a timeout. 3. Implement 802.1X authentication for dynamic access control instead of static port security.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions where a port goes err-disabled due to port security violation. The exam tests understanding of port security modes (shutdown, restrict, protect), sticky MAC learning, and the commands to verify and resolve violations. Candidates must know how to interpret 'show port-security interface' output and the steps to recover a port.

Exam Tips

Remember that the default violation mode is 'shutdown', which err-disables the port. 'restrict' drops frames but keeps the port up, and 'protect' drops frames without logging.

Sticky MAC addresses are saved in the running-config; if you clear them, they are removed from the config. Use 'clear port-security sticky' to reset.

The command 'show port-security address' shows all secure MAC addresses; look for the 'Type' column to distinguish sticky from static.

Commands Used in This Scenario

show port-security

Displays the port security configuration and status on switch interfaces, used to verify and troubleshoot port security settings.

show port-security interface [intf]

Displays port security configuration and status for a specific interface, including secure MAC addresses, violation counts, and action taken.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions