09-26-2015 08:23 AM - edited 02-21-2020 05:35 AM
The environment I work uses the following
switchport portsecurity
switchport portsecurity max #
switchport portsecurity age time 2
and in my CCNA class they talk about using switchport port-security mac sticky(May or may not be right syntax). Does this sticky command have to be enable for proper use of the above commands or is it enabled by default so the switch learns the address and forget them in 2 mins.
Solved! Go to Solution.
10-01-2015 12:39 AM
yes as soon as 3 macs are seen the port will shut, also you should use err-disable recovery psecure-violation and security violation so when it happens port shuts but when the 3 mac is removed the port comes back up otherwise you will be going around manually bringing ports backonline
I wouldn't use sticky in your scenario , sticky learns dynamic macs puts them in secure table basically making them static so only 2 and thats it will be able to join until you clear the port-security , without sticky any 2 macs continuously will be able to join the port.It depends if you know the first 2 macs that join the port will always be there then sticky is good if different macs constantly joining but only 2 at a time then don't use sticky
09-28-2015 02:37 AM
mac address sticky binds the mac address learnt to the port or you can configure a sticky mac(makes it static) , you would not usually specify an ageing timer if your using sticky as you don't want that mac to be removed you want it to stick to the port and be static, this is an optional command and can be used separately or in conjunction with other port-security commands
the command would need to be enabled check this link
http://www.freeccnaworkbook.com/workbooks/ccna/configuring-sticky-switchport-security
09-30-2015 03:01 PM
OK
So with out the sticky command, the switch can still learn a mac address for 2 mins and shutdown when 2+ devices connect.
This situation is usually is set up in the dorm rooms of campus. I guess previous management wants to limit mac-address, so spoofing can be harder. In my CCNA classes they said to always use sticky mac address. A example for a port on campus is
switchport port-security
switchport port-security max 2
switchport port security aging time 2
switchport port security violation shutdown.(I know this is default.)
10-01-2015 12:39 AM
yes as soon as 3 macs are seen the port will shut, also you should use err-disable recovery psecure-violation and security violation so when it happens port shuts but when the 3 mac is removed the port comes back up otherwise you will be going around manually bringing ports backonline
I wouldn't use sticky in your scenario , sticky learns dynamic macs puts them in secure table basically making them static so only 2 and thats it will be able to join until you clear the port-security , without sticky any 2 macs continuously will be able to join the port.It depends if you know the first 2 macs that join the port will always be there then sticky is good if different macs constantly joining but only 2 at a time then don't use sticky
10-04-2015 06:07 AM
Hi ,
Check out the below definition for portsecuirty features.
Switch(config-if)#switchport port-security | Enable port security feature on this port |
Switch(config-if)#switchport port-security maximum 1 | Set limit for hosts that can be associated with interface. Default value is 1. Skip this command to use default value. |
Switch(config-if)#switchport port-security violation shutdown | Set security violation mode. Default mode is shutdown. Skip this command to use default mode. |
Switch(config-if)#switchport port-security mac-address sticky | Enable sticky feature. |
With sticky feature interface learn mac address automatically till it reaches the maximum number of allowed hosts.
Age Time commands means :- By the end of timer it clear mac from CAM table and make inactivity till if it hasn't been seen any traffic sourced from this mac on this port since timer value clear the MAC from CAM table.
Hope it Helps..
-GI
Rate if it Helps..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide