Removing a MAC Address from the Authorized list for a port

This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list. An Authorized Address list is available for each port for which Learn Mode is currently set to "Static". See the command syntax listing under Configuring port security.


When learn mode is set to static, the Address Limit (address-limit) parameter controls how many devices are allowed in the Authorized Addresses (mac-address) for a given port. If you remove a MAC address from the Authorized Addresses list without also reducing the Address Limit by 1, the port may subsequently detect and accept as authorized a MAC address that you do not intend to include in your Authorized Address list. Thus, if you use the CLI to remove a device that is no longer authorized, it is recommended that you first reduce the Address Limit (address-limit) integer by 1, as shown below. This prevents the possibility of the same device or another unauthorized device on the network from automatically being accepted as "authorized" for that port.

To remove a device (MAC address) from the "Authorized" list and when the current number of devices equals the Address Limit value, you should first reduce the Address Limit value by 1, then remove the unwanted device.


You can reduce the address limit below the number of currently authorized addresses on a port. This enables you to subsequently remove a device from the "Authorized" list without opening the possibility for an unwanted device to automatically become authorized.


Suppose port A1 is configured as shown below and you want to remove 0c0090-123456 from the Authorized Address list:

Two authorized addresses on port A1

The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1:

switch(config)# port-security a1 address-limit 1
switch(config)# no port-security a1 mac-address

The above command sequence results in the following configuration for port A1:

Port A1 after removing one MAC address

Specifying MAC Address and intrusion responses

This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port. The default device limit is 1. It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port.

switch(config)# port-security a1 learn-mode static action send-disable

The next example does the same as the preceding example, except that it specifies a MAC address of 0c0090-123456 as the authorized device instead of allowing the port to automatically assign the first device it detects as an authorized device.

switch(config)# port-security a1 learn-mode static mac-address
0c0090-123456 action send-disable
This example configures port A5 to:
  • Allow two MAC addresses, 00c100-7fec00 and 0060b0-889e00, as the authorized devices.

  • Send an alarm to a management station if an intruder is detected on the port, but allow the intruder access to the network.

switch(config)# port-security a5 learn-mode static address-limit
2 mac-address 00c100-7fec00 0060b0-889e00 action send-alarm

If you manually configure authorized devices (MAC addresses) and an alarm action on a port, those settings remain unless you either manually change them or the switch is reset to its factory-default configuration. You can "turn off" authorized devices on a port by configuring the port to continuous Learn Mode, but subsequently reconfiguring the port to static Learn Mode restores those authorized devices.