Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1026
Views
0
Helpful
4
Replies

PORT-SECURITY

Go to solution
SathishkumarSaravanan0348
Level 1
Level 1

‎01-05-2020 07:50 AM

Hi Experts,

 

What is the difference between securesticky and securedynamic in the output of "sh port-sec add"

 

1. As far as my understanding both term define the MAC address learned dynamically.

2. The difference I could see is that in running config for sticky, could see the MAC address of the device.

 

Is there any special difference apart from this?

 

Thanks,

Sathish

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
prefixlength
Level 1
Level 1

‎01-05-2020 09:01 AM

Hi, you're pretty much spot on.

The advantage of using sticky (and subsequently have the dynamically learned MAC addresses in the running config) is the ability the save them to the startup config and have them persist after a reboot, thus making the ports that much more secure.

Rather than hoping that the right devices (the ones you wish to allow on said ports) send traffic through it first when the switch dynamically learns addresses all over again.

View solution in original post

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to prefixlength

‎01-05-2020 10:52 AM

Hi,

This is also a good document explaing the difference

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.

The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the configuration, they are lost.

If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.

Link:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

HTH

View solution in original post

0 Helpful
4 Replies 4

Go to solution
prefixlength
Level 1
Level 1

‎01-05-2020 09:01 AM

Hi, you're pretty much spot on.

The advantage of using sticky (and subsequently have the dynamically learned MAC addresses in the running config) is the ability the save them to the startup config and have them persist after a reboot, thus making the ports that much more secure.

Rather than hoping that the right devices (the ones you wish to allow on said ports) send traffic through it first when the switch dynamically learns addresses all over again.

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to prefixlength

‎01-05-2020 10:52 AM

Hi,

This is also a good document explaing the difference

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.

The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the configuration, they are lost.

If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.

Link:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

HTH

0 Helpful

Go to solution
SathishkumarSaravanan0348
Level 1
Level 1
In response to Reza Sharifi

‎01-05-2020 09:03 PM

Thank a lot. Understood the concept
0 Helpful

Go to solution
SathishkumarSaravanan0348
Level 1
Level 1
In response to prefixlength

‎01-05-2020 09:02 PM

Thanks you. Got the concept
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card