Identifying, Troubleshooting and Resolving the Issue

Identifying The Issue

In this scenario, you receive a report that a user (we’ll call John) can successfully make calls to anyone except a particular user (we’ll call Sarah). You’re on site. Naturally, you go to Sarah’s phone to troubleshoot. You find out that Sarah is able to successfully make calls to everyone except John. Until recently, they were able to call each other without any problems. Odd right?

Upon inquiring, you find out that only one thing changed recently. Notably, that management relocated John and he took his phone with him. Since then, when he calls Sarah it results in the issue. As a result, they are no longer able to communicate. What next?

Troubleshooting The Issue

The next step would be to check the switch where John’s phone was initially connected. Identifying the particular interface would quickly narrow down the issue. The sticky MAC address feature set for port-security causes this issue.

Figure 1.0 showing example of network topology where John and Sarah were connected to the same switch

When John was at the initial location, the switch would’ve saved the phone’s MAC address. Normally, after disconnecting the phone, the switch would drop the address from its MAC address table. However, because of the sticky MAC address, this does not happen.

Figure 1.1 showing the traffic being dropped by the switch when the same MAC address is detected

Now, John tries to make a call from his new office. The switch that he was initially connected to is seeing incoming traffic from MAC address DDDD. It’s seeing this traffic going to another one of it’s interface to MAC address DDDD. The switch drops the traffic to avoid a potential loop on the network.

You’d think that the call would just fail altogether. However that’s not the case. The call goes through, but neither parties are able to hear each other. As you can imagine, this can occur with multiple phones, and would most likely be the case.

Any user connected to the initial switch would encounter the problem trying to connect with the phone that was moved to the second switch.

Resolving The Issue

Clearing the sticky MAC address on the initial switch will resolve the issue. There are multiple ways to do this. To clear the sticky MAC addresses on the entire switch:

clear port-security all

All secure MAC addresses on the switch would be cleared. They would then be relearned and and added to the MAC address table once connected. This more or less defeats the purpose of using port-security with sticky MAC address.

Let’s say the interface that John was initially in was Gigabit-Ethernet 1/0/1 (Gi1/0/1). To clear all sticky MAC addresses on interface Gigabit-Ethernet 1/0/1:

clear port-security sticky interface gi1/0/1

Replace gi1/0/1 with the interface on your switch that needs the sticky MAC address cleared.

To clear the specific sticky MAC address:

clear port-security sticky address DDDD

Replace DDDD with the actual MAC address you’re trying to clear. You can read more on port-security and sticky MAC addresses from Cisco’s Configuration Guide

Other Issues That Could Potentially Occur

As you may already know, if the phone relocates to another port on the same switch, the port goes into err-disabled mode. This is easier to troubleshoot and resolve.

However, there could also be another situation involving two switches where the phone simply does not register. This can occur if the switches are daisy-chained. Depending on the situation the phone would fail to obtain an IP address despite all other configurations being correct. This situation is harder to identify. As a network administrator, keep this in mind when dealing with sticky MAC addresses.