Port s curity

Got few doubts regarding port security:-
1> do statically configured and dynamically learned sticky secure mac addresses age out with the aging time 10 command??
2>how can a interface automatically recover from errdisable voiltion mode with switchport port-security aging time 10 command???
3>if i have a pc whose mac address is learned by switch interface dynamically.the aging time is set to 60 min and aging type is absolute.then if i disconnect this pc before 60mins and plug another device then will the port go into err-disble mode and the port will stick to the first learned mac address for 60min…can somebody explain me this scenario…

Thanks a lot…

Hello Sumant

The switchport port-security aging static command is specifically used in order to specify the aging time of statically defined secure MAC addresses on a port. If the static keyword is not used, then the aging is only applied to the dynamically learned addresses. More information on these commands can be found here:

The err-disabled state has a feature on Cisco devices where you can configure an automatic recovery of the interface based on the reason for the err-disabled state. Specifically, the following command will configure an interface that has been put in err-disabled state due to a port security violation to recover after 300 seconds, or five minutes:

errdisable recovery cause psecure-violation

This is a global command that is configured in the global configuration mode. The default timer for the recovery is 300 seconds, but this can be changed to 120 seconds for example, using the following command:

errdisable recovery interval 120

Remember that errdisable is a state of an interface if there is an error or a violation of some parameters set in the config. It is not exclusive to port security. Port security is only one of the many reasons for an err-disabled state to occur on an interface.

More information about the err-disable state and its automatic recovery can be found here:

I hope this has been helpful!


hi Lazaros
Thanks for the explanation.i think i have most of the doubts regarding port security are cleared except aging time…i hope you can help me with that.

1>ok…i got it that sticky secure and static secure mac addresses do not age out unless we specify static keyword in aging time command.Only dynamic secure mac addresses will be flushed out.Now my question is whether the aged out entries for static configured and sticy secure(if we use static keyword in aging command) are flushed from mac table only or from both mac table and running configuaration?

2>if a secure port has already learned a sticky secure address and aging time with static keyword has 120min and aging type absolute.it has default violation set. after 10 minutes if i disconnect it and connect other host pc2 to it then whether the port will shutdown immediately(err-disableor)or it will staty up/upfor 120 min because the port will stick to the first mac address of pc1 for 120min.
will secure port maintain its association with pc1 mac address for 120min and you will only be able to connect other pc after 120minutes.

3>If no static keyword is used in aging time command.i would use a example again…

switchport port-security 
switchport port-security mac address sticky
switchport port-security aging time 100

–if the port has learned sticky address and therefore it will maintain its asociation with the port as long as the switch is not reloded(asumming we are not doing copy run start).
—Again the port will keep its association with the learned mac for 100 minutes.if we will connect any other host it will go into violation mode but after shutdown and noshutdown it will again go into violation if we connect any other host except the one whose mac was learned.

sorry if i am asking the same question around and around,but this is the only thing about port security which is not letting me move forward.
if you have any better example to explain me then i would really appreciate that.



Hello Sumant

The aging keyword only affects the MAC addresses configured with the sticky command. Those entered and removed from the config, that is. The MAC addresses in the MAC address table time out based on a different timer, that of the MAC address table itself which is set to 300 seconds by default. You can adjust that as well using the mac address-table aging-time command but it will affect all addresses in the MAC address table. It is possible however to adjust this timer on a per VLAN basis as well. The MAC address table timer does not affect the sticky aging time configuration.

If aging time is set to 120 and you have a sticky or static secure MAC address configured on a port, and you have set 120 minutes as the port security aging timer, then if you plug in a new device and there is a violation and you go into errdisabled state, and you do a shut no shut, and you plug in the same device again, it will indeed go into violation again. You MUST wait 120 minutes for the timer to expire OR you can go into the config and change the settings on the interface.

Yes, that is correct.

Again, this is correct.

I hope this has been helpful!


1 Like

Hi Lazaros

Your explanation has been really helpful,Now i know everything i needed to know about port security.Thanks for taking time to reply.