Configuring secure MAC addresses

Secure MAC addresses are configured or learned in autoLearn mode and can survive link down/up events. You can bind a secure MAC address to only one port in a VLAN.

IMPORTANT:

When the maximum number of secure MAC address entries is reached, the port changes to secure mode, and no more secure MAC addresses can be added or learned. The port allows only frames sourced from a secure MAC address or a MAC address configured by using the mac-address dynamic or mac-address static command to pass through.

Secure MAC addresses fall into static, sticky and dynamic secure MAC addresses.

Table 12: A comparison of static, sticky, and dynamic secure MAC addresses

Type	Address sources	Aging mechanism	Can be saved and survive a device reboot?
Static	Manually added	Not available. They never age out unless you manually remove them, change the port security mode, or disable the port security feature.	Yes.
Sticky	Manually added, converted from dynamic secure MAC addresses, or automatically learned when the dynamic secure MAC function (port-security mac-address dynamic) is disabled.	Sticky MAC addresses by default do not age out, but you can configure an aging timer or use the aging timer together with the inactivity aging function to delete old sticky MAC addresses: If only an aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC address. If both an aging timer and the inactivity aging function are configured, the aging timer restarts once traffic data is detected from the sticky MAC address.	Yes. The secure MAC aging timer restarts at a reboot.
Dynamic	Converted from sticky MAC addresses or automatically learned after the dynamic secure MAC function is enabled.	Same as sticky MAC addresses.	No. All dynamic secure MAC addresses are lost at reboot.

Type

Address sources

Aging mechanism

Can be saved and survive a device reboot?

Static

Manually added

Not available.

They never age out unless you manually remove them, change the port security mode, or disable the port security feature.

Yes.

Sticky

Manually added, converted from dynamic secure MAC addresses, or automatically learned when the dynamic secure MAC function (port-security mac-address dynamic) is disabled.

Sticky MAC addresses by default do not age out, but you can configure an aging timer or use the aging timer together with the inactivity aging function to delete old sticky MAC addresses:

If only an aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC address.
If both an aging timer and the inactivity aging function are configured, the aging timer restarts once traffic data is detected from the sticky MAC address.

Yes.

The secure MAC aging timer restarts at a reboot.

Dynamic

Converted from sticky MAC addresses or automatically learned after the dynamic secure MAC function is enabled.

Same as sticky MAC addresses.

No.

All dynamic secure MAC addresses are lost at reboot.

prev	up	next
Enabling port security traps	home	Configuration prerequisites