thanks

what happens if the original device becomes active again after two minutes ?

or if i connect a different device after two minutes?

should depend on what you have configured in the first place with the "switchport port-security mac-address" command.

if you have configured static entries, then i guess either no device will be able to connect on this port anymore, or dynamic learning is used.

if you have configured dynamic entries with the "sticky" command then i would say the port will learn new mac addresses up to the max. number of mac addresses you have allowed on that port.

but never tried this myself so iam not sure.

csco, if you have the switch, just try it, as this is tested within 10min.

if you test let me know about the result.

someone else has experience about this?

florian

Hello Florian and Jacob,

You have to remember that port security is about

1. allowing only stations with secure MAC addresses to communicate on a port
2. allowing a secure MAC address to be located on a single secure port only

The first task is much more visible and prominent: you have a set of "allowed" (secure in Cisco parlance) MAC addresses, all other MAC addresses are disallowed on a port. These MAC addresses may either be configured statically, or learned dynamically, or learned dynamically and automatically added to the configuration (sticky).

The port does not care about the types of secure MAC addresses. If you have configured a maximum of 5 secure MAC addresses on a port and already added 2 of them statically, another 3 can always be learned dynamically on the fly. A security violation would ensue if there were already 5 secure MAC addresses in place, and a frame with yet another source MAC address came in, or if some of these 5 secure MAC addresses suddenly appeared as a source MAC of a frame received on a different secure port.

About aging - Florian is absolutely correct about the absolute and inactivity aging types. An important thing, again, to remember that aging is relevant in situations where the port remains connected. If a port gets disconnected and goes down, dynamic secure MAC addresses are flushed immediately (static and sticky secure MAC addresses will be retained). Hence, the configuration as added by Jacob makes sure that even if the port remains up, an inactive dynamically learned secure MAC address will be flushed after 2 minutes.

So, to Jacob's question:

what happens if the original device becomes active again after two minutes ?
or if i connect a different device after two minutes?

Nothing special will happen. If the port does not get disconnected, the dynamically learned secure MAC address will be flushed. Whichever device comes in after two minutes, its MAC address will be learned and it will be allowed to communicate.

If the port does get disconnected, the dynamically learned secure MAC address will be flushed immediately. A device will be allowed to communicate immediately after plugging it back (provided the maximum count of secure MACs has not already been used up by static/sticky secure MAC addresses).

In order to stop speculating into great depths, Jacob - would you mind posting the entire configuration of your interface?

Best regards,

Peter

thanks peter.

here is the config

interface GigabitEthernet1/0/1

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

the config was created by smartport desktop macro

i would like to understand what security such a config gives me,

and when you say "the port gets disconnected" do you mean physicaly or by by setting

Hello Jacob,

This configuration means:

1. Only 1 secure MAC address is allowed (the command switchport port-security maximum is not visible meaning the default value of 1 is used). No static or sticky secure MAC addresses are defined so this single MAC address will always be dynamically learned.
2. This dynamic secure MAC address will be flushed after 2 minutes of inactivity
3. If a second MAC address is received on a port while the first dynamic secure MAC address is still active, the frames with the offending MAC address will be dropped and a message will be logged (the restrict type of violation reaction)

In other words, this configuration always allows at most a single device to access the network via the Gi1/0/1 port. The MAC address of this device will be flushed after 2 minutes of inactivity (this is actually relevant only if another switch was connected to the Gi1/0/1 port because a disconnection of the device on the second switch would not be noticed by your Gi1/0/1 port, and hence, there must be some limit after which old dynamic secure MAC addresses are removed - but if there is a device directly connected to the Gi1/0/1, after it is disconnected, the dynamic secure MAC will be flushed immediately).

and when you say "the port gets disconnected" do you mean physicaly or by by setting

Both. Either unplugging the cable or shutting down the port will result in dynamic secure MAC addresses being flushed.

Best regards,

Peter

Peter thanks for your patience.

if i understood correctly from your above post

the config would be usefull to block attempts to connect switches to the port

any other device  would not have a problem.

is that so?

Thanks!

hi peter,

thanks a lot for your help.

but what if the mac-addresses were learned statically? would the aging process concern these addresses? or is it all about the dynamically learned ones?

florian

Hi Florian,

I am happy to join you guys.

but what if the mac-addresses were learned statically? would the aging process concern these addresses?

In a strict sense, MAC addresses are not statically learned but rather configured - but I get the point. You have a very good question: the aging process does not affect static secure MAC addresses unless the switchport port-security aging static command is configured.

Best regards,

Peter

hi peter,

you are right, i meant statically configured.

thanks for your answer, helped me to understand the whole thing better.

florian

hi peter,

would have one last question.

what would happend if you configure static mac addresses and also configure the "switchport port-security aging static" command on the switch.

after the static entries are aged out, would no device be able to connect to the port or would the switch dynamically learn mac addresses up to the specified max. number of mac addresses?

and is the command "switchport port-security aging" valid for dynamically learned and valid for mac´s learnd with the "sticky" command.

thanks.

florian