Cisco Catalyst 3650 series Command Reference Manual page 860

switchport port-security mac-address
• A secure port cannot be a routed port.
• A secure port cannot be a protected port.
• A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
• A secure port cannot belong to a Gigabit or 10-Gigabit EtherChannel port group.
• You cannot configure static secure or sticky secure MAC addresses in the voice VLAN.
• When you enable port security on an interface that is also configured with a voice VLAN, set the
• Voice VLAN is supported only on access ports and not on trunk ports.
Sticky secure MAC addresses have these characteristics:
• When you enable sticky learning on an interface by using the switchport port-security mac-address
• If you disable sticky learning by using the no switchport port-security mac-address sticky interface
• When you configure sticky secure MAC addresses by using the switchport port-security mac-address
• If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the
• If you disable sticky learning and enter the switchport port-security mac-address sticky mac-address
You can verify your settings by using the show port-security privileged EXEC command.
Examples This example shows how to configure a secure MAC address and a VLAN ID on a port:
Device(config)# interface gigabitethernet 2/0/2
Device(config-if)# switchport mode trunk
Device(config-if)# switchport port-security
Device(config-if)# switchport port-security mac-address 1000.2000.3000 vlan 3
This example shows how to enable sticky learning and to enter two sticky secure MAC addresses on a port:
Device(config)# interface gigabitethernet 2/0/2
Device(config-if)# switchport port-security mac-address sticky
Command Reference, Cisco IOS XE Everest 16.5.1a (Catalyst 3650 Switches)
834
maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone,
the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN,
but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional
MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure
enough secure addresses to allow one for each PC and one for the Cisco IP phone.
sticky interface configuration command, the interface converts all the dynamic secure MAC addresses,
including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC
addresses and adds all sticky secure MAC addresses to the running configuration.
configuration command or the running configuration is removed, the sticky secure MAC addresses
remain part of the running configuration but are removed from the address table. The addresses that
were removed can be dynamically reconfigured and added to the address table as dynamic addresses.
sticky mac-address interface configuration command, these addresses are added to the address table
and the running configuration. If port security is disabled, the sticky secure MAC addresses remain in
the running configuration.
interface shuts down, the interface does not need to relearn these addresses. If you do not save the sticky
secure addresses, they are lost. If sticky learning is disabled, the sticky secure MAC addresses are
converted to dynamic secure addresses and are removed from the running configuration.
interface configuration command, an error message appears, and the sticky secure MAC address is not
added to the running configuration.