Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
29064
Views
26
Helpful
8
Replies

Port-Security Aging Timers absolute vs inactive

Go to solution
Steph1963
Level 1
Level 1

‎08-09-2011 09:05 PM - edited ‎03-07-2019 01:37 AM

Hi,

I would like to understand the difference between the two types of aging mechanism: Absolute & Inactivity. In which situation should we used absolute instead of inactivity. What is the default settings is we do not specified absolute or inactivity?

In switchport port-security aging time, do we have to specified a time in minutes or there is a default value associated with this command.

Thanks for your help

Stephane

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Steph1963

‎08-11-2011 01:02 AM

Hi,

Yes, absolute means at the end of the timer clear the mac from CAM table and inactivity means if there hasn't been any traffic sourced from this mac on this port since the timer value then clear the mac from CAM table.

Steph1963 a écrit:
I think that the switchport port-security aging static applies to the  configurd static mac-address. From what I read, the static MAC address  configured will dissappear fron the running-config if the the aging  timers is reach but I do not know how long is this aging timers.

Yes it applies to static secure addresses but the aging is for the CAM table not the running-config.

I don't know the default value when enabled but show  port-security and/or sw mac address-table static xxxx.xxxx.xxxx will give you the answer.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎08-09-2011 11:17 PM

Hi,

By default the aging time for secure mac addresses is disabled, it is set to 0 and absolute for dynamic ones ( 0 meaning never age out) and disabled for static ones.

The  aging time is in minutes.

Regards.

Alain.

Don't forget to rate helpful posts.

Go to solution
Steph1963
Level 1
Level 1
In response to cadet alain

‎08-10-2011 10:36 AM

Hi,

If I have understand you correctly, aging time is disable by default and if we configure aging time, the default will be absolute.

The following configuration comes from the SWITCH manual and I am still not sure about how long is configure the aging time.

interfacefa2/2

  switchport mode access

  switchport port-security

  switchport port-security mac-address 0000.0000.1118

  switchport port-security maximum 1

  switchport port-security aging static

  swithchport port-security violations shutdown

I think that the switchport port-security aging static applies to the configurd static mac-address. From what I read, the static MAC address configured will dissappear fron the running-config if the the aging timers is reach but I do not know how long is this aging timers.

Thanks for your help

Stephane

0 Helpful

Go to solution
johnpaulkendall
Level 1
Level 1
In response to Steph1963

‎01-22-2016 06:09 AM

.

0 Helpful

Go to solution
smogra
Cisco Employee
Cisco Employee

‎08-10-2011 12:03 AM

Hi,

Please find the difference between the two:

Absolute—The secure addresses on that port are deleted after the specified aging time.

Inactivity—The  secure addresess on this port are deleted only if the secure addresses  are inactive for the specified aging time.

Please find the link which explains more:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wp1042990

The aging time is specified in minutes.

By default the aging time never ages out, and disabled for static ones.

Cheers

Sweta

Please rate the answer and mark it answered if it was helpful.

Go to solution
Steph1963
Level 1
Level 1
In response to smogra

‎08-10-2011 10:38 AM

Hi,

Does that means that the absolute will aged out the learned address whether there is activity or not?

Thanks for your help

Stephane

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Steph1963

‎08-11-2011 01:02 AM

Hi,

Yes, absolute means at the end of the timer clear the mac from CAM table and inactivity means if there hasn't been any traffic sourced from this mac on this port since the timer value then clear the mac from CAM table.

Steph1963 a écrit:
I think that the switchport port-security aging static applies to the  configurd static mac-address. From what I read, the static MAC address  configured will dissappear fron the running-config if the the aging  timers is reach but I do not know how long is this aging timers.

Yes it applies to static secure addresses but the aging is for the CAM table not the running-config.

I don't know the default value when enabled but show  port-security and/or sw mac address-table static xxxx.xxxx.xxxx will give you the answer.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Steph1963
Level 1
Level 1
In response to cadet alain

‎08-15-2011 07:46 AM

Hi Alain,

I think that I probably misinterpret the following paraghaph from the following link;

http://www.ciscopress.com/articles/article.asp?p=99029&seqNum=3

You can define an optional security-aging feature to cause all secure addresses to become obsolete without having to manually remove each of them.

I thought that removing each of them meant that the switchport port-security mac-address mac-address command was removed from the running-configuiration.

If I have followed you correctly, the aging only aged out the static entry in the CAN table not the one that are configured in the running-config

Thanks for all your help

Stephane

0 Helpful

Go to solution
Harmeet Singh
Level 1
Level 1
In response to cadet alain

‎02-01-2012 10:17 AM

As I read, the static MAC address configured will dissappear from the running-config if the the aging timers is reach.What is the exact mean of dissappear here. Is it mean after time expire, a different mac-address can enter in network or something else? Please explain.......

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card