Thanks Ronaldo i have a ports

adamgibs7 · ‎12-17-2014

Dears,

Below is the configuration.

interface FastEthernet0/13
switchport access vlan 41
switchport mode access
switchport voice vlan 9
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 20
switchport port-security violation restrict
switchport port-security aging type inactivity
spanning-tree portfast

I have specified maximum 2 mac-address for phones + PC-A, when i unplug the PC-A and plug in PC-B the PC-B is able to access the network, when i put the mac-address stciky command then only it blocks PC-B and i dont want to put mac-address sticky command.

when i have applied maximum 2 then why it is allowing PC-B to communicate.

thanks

Dallas Brown · ‎12-17-2014

This behavior is because without statically mapping the mac address or using sticky the switch doesn't know to block pc-b. The maximum 2 command is telling it that no more than two mac address can be learned on this port but as soon as you unplug pc-a, the dynamically learned address are all dropped(the phone uses cdp to tell the switch that its pc port dropped) and plugging in pc-b brings it back to two addresses so there is no violation. Without static mapping or using sticky, that would't work.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html

adamgibs7 · ‎12-17-2014

Dear dallas

thanks for the reply,

As I have browsed I have seen that aging type and time doesn't work with mac-address sticky , means if I enter the aging time 5 min and type inactivity the port doesn't come up with PC-B it again goes to the error disable state.

after we get the mac address by mac-address sticky command then copy those mac address and make then static is not a good practice and to configure static for 500 users is a time consuming and lengthy job

so there is no alternate way to have a aging time out and if we connect the another pc it should get access.

Rolando Valenzuela · ‎12-18-2014

For your scenario PC-A and PC-B are always the same? because if they are, you can set the maximum up to 3 and learn the MAC address of the phone and both machines.

And with switchport port-security violation restrict the port should not go to err-disable.

Why do you need to have the aging policy?

Regards.

Rolando Valenzuela.

adamgibs7 · ‎12-18-2014

Dears

Thanks everybody who is replying to my mail but want to be more cleaar on some doubts.

port configured with mac-address sticky aging time and type does'nt have any effect , they are in effect with switchport port-security mac-address static XXXX.XXXX etc

So in which scenario we can use aging time and type.

thanks

Rolando Valenzuela · ‎12-18-2014

That is what I would like to know as well, why is the purpose of using aging? maybe we can accomplish the same goal/behavior with another method.

Who many computers do you expect to have on that port, I mean, it is a public port, like in a conference room or something? or is a private one like inside the CEO office?

Regards.

Rolando Valenzuela.

adamgibs7 · ‎12-19-2014

Thanks Ronaldo

i have a ports in a public area hall where each and every comes and connects his laptop to check internet mail and country government website.

In this situation i want to use a aging time of 1 min if incase a person leaves and another person comes with his laptop so he has to wait for 1 min to get access.

Thanks

adamgibs7 · ‎12-20-2014

Dears,

Anybody can help me for the above query please.

thanks

switch port-security