10-22-2008 06:09 AM - edited 03-06-2019 02:04 AM
How exactly does age time work in port security? Currently I don't have age time set for port security and I was under the impression that this means that age time is disabled which meant the secure address is active on the port forever.
Recently though I have been noticing that even when port security is set and when a computer is unplugged there is no entry in the Secure-src-addr and consequently the port does not shutdown when a different computer or device is plugged in.
The port security config is set to dynamic, violation shutdown for 5 minutes with age time not set. Anyone know what's going on?
Thanks.
10-22-2008 06:27 AM
Hi
Could you please post me the config
Regds
Adhi
10-22-2008 07:10 AM
Here is the config of the port security on the affected port:
* = Configured MAC Address
Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
2/1 enabled shutdown 5 0 1 disabled 9
Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left
----- -------- ----------------- -------- ----------------- ------------------
2/1 0 - - 00-0b-db-6f-82-d4 no -
10-22-2008 07:14 AM
If port security is set to dynamic, then it's adding the learned addresses to the port. It won't shut the port down unless you have a max-address set. These addresses (unless sticky) will be removed when the switch is reset.
IMHO, there's no point to having port security if you don't set either the amount of accepted addresses on the port in dynamic, or set them to have static mac addresses.
Maybe this will help too:
--John
10-22-2008 07:30 AM
John,
Thanks for the speedy reply. I guess it was not apparent from the posted config but we do have a max address of 1 set for each port and it is dynamic.
10-22-2008 07:34 AM
Yeah, I see that now :)
What happens if you ping the device that you put on after switching the cables? Does the port shutdown, or does it continue to work?
Can you post the actual config of the port?
sh run int fa0/1 (or whatever port it is)
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide