11-09-2007 06:27 AM - edited 03-03-2019 05:45 AM
Hi all,
what's the difference between
a) switchport port-security mac-address xxxx.xxxx.xxxx
b) switchport port-security mac-address sticky xxxx.xxxx.xxxx
Somewhere deep down in the documentation I find that you may use both, but should prefer the version without sticky. Why ? Is there a difference ? At a first glance, I don't see any.
Maybe "sticky xxxx.xxxx.xxxx" in a config is just an indicator to give you a quick visual indication that this mapping was learned and written to the config dynamically - opposed to static mapping without "sticky"? If so, what sense is behind doing static mapping and still be able to use sticky in combination with static mac-addresses like in version b) above ?
Later,
Oliver
11-09-2007 07:19 AM
I hope this helps:
"After you have set the maximum number of secure MAC addresses on a port,
the secure addresses are included in an address table in one of these
ways:
- You can configure all secure MAC addresses by using the switchport
port-security mac-address mac_address interface configuration command.
- You can allow the port to dynamically configure secure MAC addresses
with the MAC addresses of connected devices.
- You can configure a number of addresses and allow the rest to be
dynamically configured.
Note If the port shuts down, all dynamically learned addresses are
removed.
- You can configure MAC addresses to be sticky. These can be dynamically
learned or manually configured, stored in the address table, and added to
the running configuration. If these addresses are saved in the
configuration file, the interface does not need to dynamically relearn
them when the switch restarts. Although sticky secure addresses can be
manually configured, it is not recommended."
<http://www.cisco.com/en/US/products/...02c30 af.html>
The point is with using 'Sticky', this feature essentially is allowing you to set the maxumim number of DYNAMIC learned mac addr's (or nodes) that can tx/rx frames on this port. The the switchport port-security max command is a safeguard to prevent someone connecting a hub to the port for example. Or even a another switch. Without the switchport port-security
Perhpaps the way to think about this, and to make it very clear is to imagine if you did not have this flexibility - what would be the drawbacks?
hth,
Ajaz
pls rate this post if it helped.
11-09-2007 08:13 AM
Hi Ajaz,
I just wonder why there is a possibility to say "mac sticky" and then specify a static mapping in the same statement. As far as I can see now, it should be _either_ static mapping _or_ sticky mapping (=dynamic learning that does not expire), the mixed version seems to be odd.
For static mappings (where the MAC is already known), I would use "sw po mac xxxx.xxxx.xxxx" without sticky, since an address I already know and configure manually is never "sticky learned".
OTOH, when I want to learn MAC addresses and turn them into static mappings, I'd use "sw po mac sticky" without specifying the actual MAC.
It's just the mixture of both that doesn't make too much sense to me:
- Sticky learning itself is activated independently (sw po mac sticky)
- Manual static mapping has nothing to do with stickyness
- dynamic learning can be non-sticky (normal behaviour) or sticky (dynamically learned addresses are turned into static mappings).
So what use is there for static + sticky ?
--------------
It's just that I look for a certain consistency in an interface. Since static mapping is the opposite of dynamic learning, regardless whether the dynamic addresses stay a certain time (non sticky) or "forever" (sticky), I still don't see what exactly a static sticky MAC address is.
If it's just an inconsistency like router interfaces starting with f0/0 and switches starting with f0/1, that's ok with me. I just want to know :). But maybe I don't see a use case where you need static sticky and can't do it any other way.
Best wishes,
Oliver
11-09-2007 08:27 AM
Oliver,
I would put this down to an IOS anomaly and at the end of the day the Cisco IOS SW engineers who prepare the code are allowing us to view and configure these options. Although they do a marvelous job as a whole there are somethings in the IOS which just seem odd or inconsistent. This sticky command is just one of those examples. That said I have a feeling this would not be considered to be a major SW defect. It just causes confusion.
As long as you have a good grasp of the difference of max, sticky and static mac-addr port-security - you'll just fine!
this just confirms what the options are:
hope you have a fabulous w/end.
Ajaz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide