Cisco switch commands cheat sheet (cli) шпаргалка

port-security max-mac-num

Function

The port-security max-mac-num command sets the maximum number of secure MAC addresses that can be learned on an interface.

The undo port-security max-mac-num command restores the default maximum number of secure MAC addresses that can be learned on an interface.

By default, only one MAC address can be learned on an interface.

Parameters

Parameter

Description

Value

max-number

Specifies the maximum number of secure MAC addresses that can be learned by an interface.

The value is an integer that ranges from 1 to 1024.

Usage Guidelines

Usage Scenario

After enabling port security on an interface, you can run the port-security max-mac-num command to limit the number of MAC addresses that the interface can learn. If the switch receives packets with a nonexistent source MAC address after the number of secure MAC addresses reaches the limit, the switch considers that the packets are sent from an unauthorized user, regardless of whether the destination MAC address of packets is valid, and takes
the action configured using the command on the interface. This prevents untrusted users from accessing these interfaces, improving security of the switch and the network.

Prerequisites

Port security has been enabled by using the command
on the interface.

Precautions

  • The total number of MAC addresses on interfaces enabled with port security cannot exceed 4096. For example, if the numbers of MAC addresses learned on interfaces 1, 2, 3, and 4 are 1000 respectively, interface 5 can learn a maximum of 96 MAC addresses.
  • If the sticky MAC function is disabled, max-number limits the number of secure dynamic MAC addresses learned by the interface and secure static MAC addresses configured manually.
  • If the sticky MAC function is enabled, max-number limits the number of sticky MAC addresses learned by the interface, and sticky MAC addresses and secure static MAC addresses configured manually.
  • If you run the port-security max-mac-num command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Set the maximum number of MAC addresses that can be learned by GigabitEthernet0/0/1 to 5.

<HUAWEI> system-view
 interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 5

Обнаружение потери BPDU

Описание функции

Работа протокола STP сильно зависит от своевременного получение пакетов BPDU. При каждом сообщении hello_time message (по умолчанию каждые 2 секунды) корневой мост отправляет пакеты BPDU. Некорневые мосты не создают пакеты BPDU заново для каждого сообщения hello_time, а принимают пакеты BPDU, ретранслированные от корневого моста. Поэтому каждый некорневой мост должен получать пакеты BPDU в каждой VLAN для каждого сообщения hello_time. В некоторых случаях пакеты BPDU теряются или ЦП моста слишком занят, чтобы своевременно ретранслировать пакеты BPDU. Такие или другие проблемы могут вызвать запаздывание пакетов BPDU (если они вообще получаются). Эта проблема может нарушить стабильность топологии STP.

Обнаружение потери BPDU позволяет коммутатору отслеживать запаздывающие пакеты BPDU и уведомлять администратора с помощью сообщений системного журнала. Для каждого порта, для которого когда-либо было зафиксировано запаздывание (или искажение) пакета BPDU, функция обнаружения задержки сообщит о самой последней задержке с указанием ее длительности. Она также указывает максимальную длительность задержки блока BPDU для этого конкретного порта.

Чтобы защитить ЦП моста от перегрузки, сообщение системного журнала создается не при каждой задержке пакета BPDU. Частота создания сообщений ограничивается одним сообщением каждые 60 секунд. Однако если задержка BPDU превышает значение max_age, деленное на 2 (что по умолчанию равно 10 с), сообщение печатается немедленно.

Примечание: Обнаружения потери BPDU — это функция диагностики. При обнаружении задержки пакетов BPDU она отправляет сообщение системного журнала. Функция обнаружения потери BPDU не выполняет никаких других корректирующих действий.

Пример сообщения системного журнала, созданного функцией обнаружения потери BPDU:

Замечания по настройке

Обнаружение потери BPDU настраивается для каждого коммутатора по отдельности. По умолчанию эта функция отключена. Чтобы включить обнаружение потери BPDU, выполните следующую команду:

Чтобы просмотреть сведения об обнаружении задержки пакетов BPDU, воспользуйтесь командой show spantree bpdu-skewing <vlan>|<mod/port> как показано в следующем примере:

Verifying the Port Security Configuration

To display port security settings, enter this command:

  • Port security supports the vlan keyword only on trunks.
  • Enter the address keyword to display secure MAC addresses, with aging information for each address, globally for the switch or per interface.
  • The display includes these values:

– The maximum allowed number of secure MAC addresses for each interface

– The number of secure MAC addresses on the interface

– The number of security violations that have occurred

– The violation mode

This example displays output from the show port-security command when you do not enter an interface:

This example displays output from the show port-security command for a specified interface:

This example displays the output from the show port-security address privileged EXEC command:

Displaying Port Security Settings

To display port security settings, enter this command:

When displaying port security settings, note the following information:

•Port security supports the vlan keyword only on trunks.

•Enter the address keyword to display secure MAC addresses, with aging information for each address, globally for the switch or per interface.

•The display includes these values:

–The maximum allowed number of secure MAC addresses for each interface

–The number of secure MAC addresses on the interface

–The number of security violations that have occurred

–The violation mode.

This example displays output from the show port-security command when you do not enter an interface:

This example displays output from the show port-security command for a specified interface:

This example displays the output from the show port-security address privileged EXEC command:

Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page:

port-security static-flapping protect

Function

The port-security static-flapping protect command
enables static MAC address flapping detection.

The undo port-security
static-flapping protect command disables static MAC address flapping
detection.

By default, static MAC address flapping detection
is disabled.

Usage Guidelines

Usage Scenario

Secure MAC addresses are also static MAC address. When an interface receives a packet of which the source MAC address exists in the static MAC table on another interface, the interface discards this packet. This affects customer services. For example, when PC 1 connects to GE0/0/1 where sticky MAC is enabled, the sticky MAC table of GE0/0/1 includes PC 1’s MAC address. When PC 1 is disconnected from GE0/0/1 and connected to GE0/0/2, GE0/0/2 discards the packets from PC 1. In this situation, you can enable static MAC
address flapping detection. Then the interface will take the configured action.

Precautions

Static MAC address flapping detection is supported only on the
interfaces with port security enabled.

Example

# Enable static MAC address flapping detection.

<HUAWEI> system-view
 port-security static-flapping protect

undo mac-address security

Function

The undo mac-address security command
deletes secure MAC address entries. Secure MAC address entries include
dynamic and static secure MAC address entries
and sticky MAC address entries.

Parameters

Parameter

Description

Value

interface-type interface-number

Specifies the outbound interface in a secure MAC address
entry to be deleted.

vlan vlan-id

Specifies the VLAN ID in a secure MAC address entry to be
deleted.

The value is an
integer that ranges from 1 to 4094.

sec-config

Deletes static secure MAC address entries.

security

Deletes dynamic secure MAC address entries, that is, MAC
address entries learned by an interface enabled with port security.

sticky

Deletes sticky MAC address entries, that is, MAC address
entries learned by an interface enabled with the sticky MAC function.

Usage Guidelines

After port security is enabled on an interface,
dynamic MAC address entries learned by the interface turn into secure
MAC address entries. secure MAC address entries are not aged out.
After the number of MAC address entries learned by an interface reaches
the limit, the interface cannot learn new MAC address entries. Packets
matching no MAC address entry are broadcast, wasting bandwidth resources.
This command can delete useless secure MAC address entries to release
the MAC address table space.

You can delete some of secure MAC
address entries as required. For example:

  • If you do not specify interface-type interface-number, the command deletes MAC address entries of the specified type on
    all interfaces.
  • If you do not specify vlan vlan-id,
    the command deletes MAC address entries of the specified type in all
    VLANs.

Example

# Delete all static secure MAC address
entries.

<HUAWEI> system-view
 undo mac-address sec-config

# Delete all dynamic secure MAC address entries on gigabitethernet0/0/1.

<HUAWEI> system-view
 undo mac-address security gigabitethernet 0/0/1

# Delete all sticky MAC address entries.

<HUAWEI> system-view
 undo mac-address sticky

Overview of Configure Switch Port Security

You can configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, it is not recommended.

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.

The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the configuration, they are lost

If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.

After the maximum number of secure MAC addresses is configured, they are stored in an address table. To ensure that an attached device has the full bandwidth of the port, configure the MAC address of the attached device and set the maximum number of addresses to one, which is the default.

A security violation occurs if the maximum number of secure MAC addresses has been added to the address table and a workstation whose MAC address is not in the address table attempts to access the interface.

You can configure the interface for one of these violation modes, based on the action to be taken if a violation occurs:

  • Restrict—A port security violation restricts data, causes the SecurityViolation counter to increment, and causes an SNMP Notification to be generated. The rate at which SNMP traps are generated can be controlled by the SNMP-server enable traps port-security trap-rate command. The default value (“0”) causes an SNMP trap to be generated for every security violation.
  • Shutdown—A port security violation causes the interface to shut down immediately. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands. This is the default mode.

You can also customize the time to recover from the specified error-disable cause (default is 300 seconds) by entering the errdisable recovery interval command.

Source: Cisco

Related Search Queries:

  • Cisco port security violation
  • Switchport port-security maximum 2
  • Cisco port security violation options
  • Switchport port-security violation restrict vs protect
  • Port security configuration in packet tracer
  • Switchport port-security mac-address sticky
  • Port security in networking
  • Port security pdf
  • Switchport port-security maximum
  • Switchport port-security violation restrict vs protect
  • Cisco port security violation options
  • Switchport port-security mac-address sticky

Port Security Guidelines and Restrictions

When configuring port security, follow these guidelines:

  • To bring a secure port out of the error-disabled state with the default port security configuration, enter the errdisable recovery cause shutdown global configuration command, or manually reenable it by entering the shutdown and no shut down interface configuration commands.
  • Enter the clear port-security dynamic global configuration command to clear all dynamically learned secure addresses. See the Cisco 7600 Series Router Cisco IOS Command Reference, for complete syntax information.
  • Port security learns authorized MAC addresses with a bit set that causes traffic to them or from them to be dropped. The show mac-address-table command displays the unauthorized MAC addresses, but does not display the state of the bit. (CSCeb76844)
  • To preserve dynamically learned sticky MAC addresses and configure them on a port following a bootup or a reload and after the dynamically learned sticky MAC addresses have been learned, you must enter a write memory or copy running-config startup-config command to save them in the startup-config file.
  • Port security supports private VLAN (PVLAN) ports.
  • Port security supports nonnegotiating trunks.

Port security only supports trunks configured with these commands:

switchport switchport trunk encapsulation switchport mode trunk switchport nonegotiate

– If you reconfigure a secure access port as a trunk, port security converts all the sticky and static secure addresses on that port that were dynamically learned in the access VLAN to sticky or static secure addresses on the native VLAN of the trunk. Port security removes all secure addresses on the voice VLAN of the access port.

– If you reconfigure a secure trunk as an access port, port security converts all sticky and static addresses learned on the native VLAN to addresses learned on the access VLAN of the access port. Port security removes all addresses learned on VLANs other than the native VLAN.

Note Port security uses the VLAN ID configured with the switchport trunk native vlan command for both IEEE 802.1Q trunks and ISL trunks.

  • Port security supports trunks..
  • Port security supports IEEE 802.1Q tunnel ports.
  • Port security does not support Switch Port Analyzer (SPAN) destination ports.
  • Port security does not support EtherChannel port-channel interfaces.
  • Port security and 802.1X port-based authentication cannot both be configured on the same port:

– If you try to enable 802.1X port-based authentication on a secure port, an error message appears and 802.1X port-based authentication is not enabled on the port.

Port Security Guidelines and Restrictions

When configuring port security, follow these guidelines:

•With the default port security configuration, to bring all secure ports out of the error-disabled state, enter the errdisable recovery cause psecure-violation global configuration command, or manually reenable the port by entering the shutdown and no shut down interface configuration commands.

•Enter the clear port-security dynamic global configuration command to clear all dynamically learned secure addresses. See the Cisco IOS Master Command List for complete syntax information.

•Port security learns unauthorized MAC addresses with a bit set that causes traffic to them or from them to be dropped. The show mac-address-table command displays the unauthorized MAC addresses, but does not display the state of the bit. (CSCeb76844)

•To preserve dynamically learned sticky MAC addresses and configure them on a port following a bootup or a reload and after the dynamically learned sticky MAC addresses have been learned, you must enter a write memory or copy running-config startup-config command to save them in the startup-config file.

•Port security supports private VLAN (PVLAN) ports.

•Port security supports IEEE 802.1Q tunnel ports.

•Port security does not support Switch Port Analyzer (SPAN) destination ports.

•Port security does not support EtherChannel port-channel interfaces.

•With Cisco IOS Release 12.2(33)SXH and later releases, you can configure port security and 802.1X port-based authentication on the same port. With releases earlier than Cisco IOS Release 12.2(33)SXH:

–If you try to enable 802.1X port-based authentication on a secure port, an error message appears and 802.1X port-based authentication is not enabled on the port.

–If you try to enable port security on a port configured for 802.1X port-based authentication, an error message appears and port security is not enabled on the port.

•Port security supports nonnegotiating trunks.

–Port security only supports trunks configured with these commands:

switchport switchport trunk encapsulation switchport mode trunk switchport nonegotiate

–If you reconfigure a secure access port as a trunk, port security converts all the sticky and static secure addresses on that port that were dynamically learned in the access VLAN to sticky or static secure addresses on the native VLAN of the trunk. Port security removes all secure addresses on the voice VLAN of the access port.

–If you reconfigure a secure trunk as an access port, port security converts all sticky and static addresses learned on the native VLAN to addresses learned on the access VLAN of the access port. Port security removes all addresses learned on VLANs other than the native VLAN.

Note Port security uses the VLAN ID configured with the switchport trunk native vlan command for both IEEE 802.1Q trunks and ISL trunks.

•Take care when you enable port security on the ports connected to the adjacent switches when there are redundant links running between the switches because port security might error-disable the ports due to port security violations.

•Flex Links and port security are not compatible with each other.

Displaying Port Security Settings

To display port security settings, enter this command:

Command

Purpose

Router# show port-security [interface {{vlan vlan_ID}
| {type slot/port}}] [address]

Displays port security settings for the switch or for the specified interface.

type = fastethernet, gigabitethernet, or tengigabitethernet

When displaying port security settings, note the following information:

•Port security supports the vlan keyword only on trunks.

•Enter the address keyword to display secure MAC addresses, with aging information for each address, globally for the switch or per interface.

•The display includes these values:

–The maximum allowed number of secure MAC addresses for each interface

–The number of secure MAC addresses on the interface

–The number of security violations that have occurred

–The violation mode.

This example displays output from the show port-security command when you do not enter an interface:

Router# show port-security
Secure Port      MaxSecureAddr  CurrentAddr  SecurityViolation  Security
Action
                    (Count)        (Count)      (Count)
----------------------------------------------------------------------------
     Fa5/1           11            11            0            Shutdown
     Fa5/5           15            5             0            Restrict
     Fa5/11          5             4             0            Protect
----------------------------------------------------------------------------
Total Addresses in System: 21
Max Addresses limit in System: 128

This example displays output from the show port-security command for a specified interface:

Router# show port-security interface fastethernet 5/1
Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses: 11
Total MAC Addresses: 11
Configured MAC Addresses: 3
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0

This example displays the output from the show port-security address privileged EXEC command:

Router# show port-security address
          Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)
----    -----------       ----                -----   -------------
   1    0001.0001.0001    SecureDynamic       Fa5/1      15 (I)
   1    0001.0001.0002    SecureDynamic       Fa5/1      15 (I)
   1    0001.0001.1111    SecureConfigured    Fa5/1      16 (I)
   1    0001.0001.1112    SecureConfigured    Fa5/1      -
   1    0001.0001.1113    SecureConfigured    Fa5/1      -
   1    0005.0005.0001    SecureConfigured    Fa5/5      23
   1    0005.0005.0002    SecureConfigured    Fa5/5      23
   1    0005.0005.0003    SecureConfigured    Fa5/5      23
   1    0011.0011.0001    SecureConfigured    Fa5/11     25 (I)
   1    0011.0011.0002    SecureConfigured    Fa5/11     25 (I)
-------------------------------------------------------------------
Total Addresses in System: 10
Max Addresses limit in System: 128

Предварительные условия

Требования

Для понимания данного документа требуется общее знание протокола STP. Дополнительные сведения о работе STP см. в документе Общие сведения и настройка конфигурации протокола связующего дерева (STP) на коммутаторах Catalyst.

Внимание! Пользователь сможет применять данный документ в качестве справочного материала при решении проблем с сетью только в том случае, если он сам знаком с соответствующим процессом или у него есть опытный консультант, обладающий такими знаниями. Если выполнять изменения, не зная особенностей работы STP, могут возникать ошибки следующих типов

  • Нестабильности

  • Замедления приложений

  • Пики нагрузки ЦП

  • Отказ локальной сети

Дополнительные сведения и справочную информацию обо всех параметрах, обсуждаемых в данном документе, см. в документации Стандарты 802.1D — IEEE для локальных и мегаполисных сетей (LAN и MAN): мостовые соединения MAC (пункт 8).

Используемые компоненты

Настоящий документ не имеет жесткой привязки к каким-либо конкретным версиям программного обеспечения и оборудования.

Условные обозначения

Дополнительные сведения об условных обозначениях см. в документе Условные обозначения технических терминов Cisco.

Описание функции

STP перенастраивает ячеистую топологию в свободную от петель древоподобную структуру. При включении канала в порту моста, в данном порту осуществляется вычисление STP. Результатом вычисления станет переход порта в состояние пересылки или блокировки. Этот результат зависит от положения порта в сети и параметров STP. Вычисление и переходный период занимают, как правило, от 30 до 50 секунд. В течение этого времени данные пользователя через порт не проходят. За этот период время ожидания некоторых пользовательских приложений может истечь.

Для немедленного перехода порта в состояние пересылки активизируйте функцию STP PortFast. Portfast переводит порт в режим пересылки STP сразу после включения канала. При этом порт все еще участвует в STP. Таким образом, если порт должен являться частью цикла, он в конечном итоге переходит в режим блокировки STP.

Так как данный порт участвует в STP, какое-то устройство может взять на себя функцию корневого моста и повлиять на активную STP топологию. Для осуществления функции корневого моста, данное устройство должно подключиться к порту и запустить STP с приоритетом моста более низким, чем у текущего корневого моста. Если другое устройство таким образом берет на себя функцию корневого моста, оно приводит сеть в условно оптимальное состояние. Это представляет собой простую форму атаки на сеть типа «отказ в обслуживании» (DoS). Временное введение и последующее удаление STP устройств с низким (0) приоритетом моста приводит к постоянному пересчету STP.

Новая функция STP PortFast защиты BPDU позволяет разработчикам сетей устанавливать границы домена STP и сохранять предсказуемость активной топологии. Устройства, находящиеся в сети после портов с включенной функцией STP PortFast, не могут повлиять на топологию STP. При приеме BPDU операция защиты BPDU отключает порт, работающий в режиме PortFast. Защита BPDU переводит порт в состояние отключения в результате ошибки и выводит на консоль сообщение. Например, сообщение может быть следующим:

Рассмотрим следующий пример:

Рисунок 1

Мост А имеет приоритет 8192 и является корневым для VLAN. Мост B имеет приоритет 16384 и является резервным корневым мостом для той же сети VLAN. Мосты А и В, соединенные каналом Gigabit Ethernet, образуют ядро сети. Мост С является коммутатором доступа и имеет работающий в режиме PortFast порт, подключающий его к устройству D. Если стандартными являются другие параметры STP, то порт моста С, соединяющий его с мостом В, находится в состоянии блокировки STP. Устройство D (ПК) не является частью STP. Пунктирные стрелки обозначают направление потока STP BPDU.

Рисунок 2

На рисунке 2 устройство D становится частью STP. Например, на ПК запущено приложение, работающее на базе Linux. Если приоритет программного моста равен 0 или его приоритет ниже приоритета корневого моста, программный мост берет на себя функцию корневого. Канал Gigabit Ethernet, соединяющий два основных коммутатора, переходит в режим блокировки. Такой переход вызывает поток всех данных в этой VLAN через канал с пропускной способностью 100 Mбит/с. Если через ядро этой VLAN проходит больше данных, чем канал может вместить, некоторые кадры будут сброшены. Сброс кадров приводит к потере соединения.

Функция STP PortFast защиты BPDU предотвращает возникновение подобной ситуации. Эта функция отключает порт в тот самый момент, когда мост С получает STP BPDU от устройства D.

Understanding Port Security

These sections describe port security:

Port Security with Dynamically Learned and Static MAC Addresses

You can use port security with dynamically learned and static MAC addresses to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.

A security violation occurs in either of these situations:

•When the maximum number of secure MAC addresses is reached on a secure port and the source MAC address of the ingress traffic is different from any of the identified secure MAC addresses, port security applies the configured violation mode.

•If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, applies the configured violation mode.

Note After a secure MAC address is configured or learned on one secure port, the sequence of events that occurs when port security detects that secure MAC address on a different port in the same VLAN is known as a MAC move violation.

See the for more information about the violation modes.

After you have set the maximum number of secure MAC addresses on a port, port security includes the secure addresses in the address table in one of these ways:

•You can statically configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command.

•You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.

•You can statically configure a number of addresses and allow the rest to be dynamically configured.

If the port has a link-down condition, all dynamically learned addresses are removed.

Following bootup, a reload, or a link-down condition, port security does not populate the address table with dynamically learned MAC addresses until the port receives ingress traffic.

A security violation occurs if the maximum number of secure MAC addresses have been added to the address table and the port receives traffic from a MAC address that is not in the address table.

You can configure the port for one of three violation modes: protect, restrict, or shutdown. See the .

To ensure that an attached device has the full bandwidth of the port, set the maximum number of addresses to one and configure the MAC address of the attached device.

Port Security with Sticky MAC Addresses

Port security with sticky MAC addresses provides many of the same benefits as port security with static MAC addresses, but sticky MAC addresses can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.

If you enter a write memory or copy running-config startup-config command, then port security with sticky MAC addresses saves dynamically learned MAC addresses in the startup-config file and the port does not have to learn addresses from ingress traffic after bootup or a restart.

Port Security with IP Phones

shows an application in which a device connects to the switch through the data port of an IP phone.

Figure 62-1 Device Connected Through IP Phone

Because the device is not directly connected to the switch, the switch cannot physically detect a loss of port link if the device is disconnected. Later Cisco IP phones send a Cisco Discovery Protocol (CDP) host presence type length value (TLV) to notify the switch of changes in the attached device’s port link state. With Cisco IOS Release 12.2(33)SXI and later releases, the switch recognizes the host presence TLV. Upon receiving a host presence TLV notification of a link down on the IP phone’s data port, port security removes from the address table all static, sticky, and dynamically learned MAC addresses. The removed addresses are added again only when the addresses are learned dynamically or configured.