Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1100
Views
7
Helpful
22
Replies

Port-security

M.Sultan
Spotlight
Spotlight

‎12-30-2023 02:01 PM - edited ‎12-30-2023 02:07 PM

Dear guys,

  1. #inter fast 0/2
  2. #switchport mode access
  3. #switchport port-security violation shutdown
  4. #switchport port-security maximum 1
  5. #switchport port-security mac-address sticky
  6. #swtichport port-security aging type absolute
  7. #switchport port-security aging time 1
  8. #switchport port-security
  9. #do wr

I configured port security for interface fast0/2 on switch, according to the aging type and time after 1 minute the switchport must error disable the port and drop the traffic,but nothing happens, please help to resolve it.

Best wishes

Sultan

0 Helpful
22 Replies 22

M.Sultan
Spotlight
Spotlight
In response to MHM Cisco World

‎01-01-2024 02:00 PM

Thanks mate, I see sticky = dynamically learning macs.

Static = mac-address H.H.H

i see in book its the same but now you say sticky is static ?

0 Helpful

MHM Cisco World
VIP
VIP
In response to M.Sultan

‎01-01-2024 02:22 PM

simple lab 
one port config with sticky and other with dynamic 
both work dynamically learn the mac 
add to port-security address table 
then reload the SW 
check the port-security address and show running 
you will see the port with sticky keep  the mac address even after reload but the dynamic is clear the mac 
so the sticky is dynamic learn the MAC but add it as static (it confused but I like to call it hybrid between dynamic and static port-security)
   

Screenshot (655).pngScreenshot (656).pngScreenshot (657).png

0 Helpful

M02@rt37
VIP
VIP

‎12-30-2023 02:10 PM - edited ‎12-30-2023 02:11 PM

Hello @M.Sultan 

What is plug on that Fa0/2 ? Have you got in the log the mac address associated to that port-security interface ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

balaji.bandi
Hall of Fame
Hall of Fame

‎12-30-2023 03:03 PM - edited ‎12-30-2023 03:04 PM

yes only if the device or MAC changed  - what are you expecting here ?

take example :

ORGINAL MAC address :

SW1#show port-security interface ethernet 0/0
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 1 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : aabb.cc00.0700:100
Security Violation Count : 0

I have connected different devices :

you get message due to MAC changed on the ports :

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 3a83.af75.7d84 on port Ethernet0/0

you see violation count 1 :

SW1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Et0/0 1 1 1 Shutdown
---------------------------------------------------------------------------

SW1#show port-security interface ethernet 0/0
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 1 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 3a83.af75.7d84:100
Security Violation Count : 1

SW1#show interfaces status err-disabled  (because i try to connect different device - since  the MAC changed)

Port Name Status Reason Err-disabled Vlans
Et0/0 err-disabled psecure-violation

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

M.Sultan
Spotlight
Spotlight
In response to balaji.bandi

‎12-30-2023 03:11 PM

That's correct i understand my point is with (Aging type and the aging time i configured with int fas0/3)

Two types : Absolute and Inactivity

  1. #switchport port-security aging type absolute
  2. #switchport port-security aging time 1

Absolutely the port must go to error-disable after 1 minute its what really the Cisco topics says.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to M.Sultan

‎12-30-2023 03:31 PM

There are different things here -

since you added :

  1. #switchport port-security mac-address sticky

First device with MAC connected that port will become stick MAC you can check show run interface x/x ( you see the MAC address added to that configuration)

what is the goal you trying to achieve is important

If you see different MAC address in 1 Min the port go in error disable.

But if the PC removed and the MAC will be flushed and any other device can be connected to that port.

again some improvements have done in new IOX XE on top of basic functionality of the security port :

You can also add errordisable recovery part of the global config.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

balaji.bandi
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎01-01-2024 03:05 AM

May be better clarity of the use cases :

its all depends on IOS code you using, most case should be the same.

Configuring Secure MAC Address Aging on a Port

When the aging type is configured with the absolute keyword, all the dynamically learned secure addresses age out when the aging time expires. When the aging type is configured with the inactivity keyword, the aging time defines the period of inactivity after which all the dynamically learned secure addresses age out.

Note  Static secure MAC addresses and sticky secure MAC addresses do not age out.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

M.Sultan
Spotlight
Spotlight
In response to balaji.bandi

‎01-01-2024 02:02 PM

Thanks mate , please let me know :

#switchport port-security mac-address H.H.H

#switchport port-security mac-address sticky

 

which command is dynamic and which one is static ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card