cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1285
Views
7
Helpful
22
Replies

Port-security

M.Sultan
Spotlight
Spotlight

Dear guys,

  1. #inter fast 0/2
  2. #switchport mode access
  3. #switchport port-security violation shutdown
  4. #switchport port-security maximum 1
  5. #switchport port-security mac-address sticky
  6. #swtichport port-security aging type absolute
  7. #switchport port-security aging time 1
  8. #switchport port-security
  9. #do wr

I configured port security for interface fast0/2 on switch, according to the aging type and time after 1 minute the switchport must error disable the port and drop the traffic,but nothing happens, please help to resolve it.

Best wishes

Sultan

22 Replies 22

Why errdisable 

After 1 min and using aging (you need to add static since you use sticky) the port relearn the mac not go to errdisable

MHM

Aging time cause i want to give access to a guest via the switch, so i define 1 minute time limit afterr 1 minute the switchport must go error disable.

Aging type is Absolute!

Even if it absolute' the aging will make SW remove mac from port and learn new one.

You want after specific time the host disconnect I think you can not do that with port secuirty  you need 802.1x for this task

MHM

 

I read from Cisco book there i two aging type : Absolute and inactivity, once one of these configure along with specific time the port must counter to error-disable. regardless of changing mac from that port. !!!

Can you share the cisco book name' let me check it

MHM

MSultan_0-1703978034900.png

 

31 Days before your CCNA exam Book.

Yes friend' 

I read the page and as I mention before it talk about remove mac from table and make port learn new mac.

There is no mention about errdisable.

MHM

Exactly absolute and inactivity! once the mac is removed from the current secure address still i can communicate with other PC just it removed the mac from the current secured add nothing else. it seems very useless for or i am wrong.

No it not useless' 

You have SW and you config port secuirty' then your host pc is move and you are admin' 

Without aging you need to shut/no shut port to make port learn new mac

With aging' after specific time the port clear mac and learn new mac without need from admin to shut/no shut port

MHM

Switch#show port-security interface ethernet 0/3
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 1 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0050.7966.68e7:1
Security Violation Count : 0

Right i manually added mac address to the port and after 1 mins switch must not try to relearn new mac address because its not sticky. I'm confused mate.

swtichport port-security aging type absolute <- this for aging dynamic mac 

But you config sticky (which is static mac) so you need 

swtichport port-security aging static type absolute

MHM

 

  1. #int fast0/1
  2. #switchport mode access
  3. #switchport port-security violation shutdown
  4. #switchport port-security maximum 1
  5. #switchport port-security mac-address sticky
  6. #switchport port-security aging type absolute
  7. #switchport port-security aging time 1
  8. #switchport port-security

 

By this config i expect the switch after 1 min release the sticky (dynamically learnt mac pc1) and learn the new mac from pc2.

but when i swap ports the interface counts error-disable.

 

I'm deeply confused with aging time how it works please simply explain and brief the out put to understand it.

There are two type of mac in port secuirty 

1- dynamic 

2- static a- manual add mac to port b- sticky 

So sticky is staitc not dynamic' it really dynamic learn mac but it add to port-secuirty as static mac.

Now port secuirty aging you need to specify static to make port secuirty aging static mac entry (via sticky)

***switchport port-security aging {static | time time | type {absolute | inactivity}}

MHM

Review Cisco Networking for a $25 gift card