Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1155
Views
34
Helpful
16
Replies

question about switchport port security

Dr.X
Level 2
Level 2

‎12-29-2012 01:45 AM - edited ‎03-07-2019 10:49 AM

hi , i have a confusing in a point

now assume i typed

int f0/0

switchport port-security

switchport maximum 10

=======================

by default the switch will learn the mac address and if it learned 11  the port will go into error disabled and this i understood it

but

what is the difference if i typed :

int f0/0

switchport port-security

switchport maximum 10

switchport port-security mac-address sticky

=======================

i also read that mac-address sticky will learn the mac dynamicly

so whats the differnece between the two methods which i typed ???

does that mean that

mac-address sticky

is enabled by default on the switch ??

regards

Labels:
0 Helpful
16 Replies 16

Rolf Fischer
Level 9
Level 9

‎12-29-2012 01:55 AM

With the sticky-option the entries do not age out and become part of the port's config automatically (you can also configure them manually if needed).

Without sticky the MAC addresses of the edge devices do not matter, as long as the maximum is not exceeded.

HTH

Rolf

Dr.X
Level 2
Level 2
In response to Rolf Fischer

‎12-29-2012 02:21 AM

hi Rolf ,

do you think without sticky , there is an agining time ???  whats the aging time ??

====================

anohter question

if i configured maximum number of 10 mac address

and i configured 11 mac static with the command :

switchport port-security  mac-address xxxxxxxx

will the port will go to error disable ???

i mean the number of allowed macs , does it include  both static  & dynamic  or only dynamic ???

regards

0 Helpful

Rolf Fischer
Level 9
Level 9
In response to Dr.X

‎12-29-2012 03:21 AM

There are some options I normally like to change from the defaults when using port-security:

- violation mode (restrict)

- aging type (inactivity)

- aging time (5 min)

Of course, there's plenty of documentation in cisco.com, but for a quick overview I still like this document:

http://www.google.de/url?sa=t&rct=j&q=snac%20switch%20security%20guide&source=web&cd=1&cad=rja&ved=0CDYQFjAA&url=http%3A%2F%2Fwww.nsa.gov%2Fia%2F_files%2Fswitches%2Fswitch-guide-version1_01.pdf&ei=xczeUMv9Ksfe4QSbw4Eo&usg=AFQjCNHD9QvzQbOVavU4rDFlWITk... (7.2 page 24ff)

OK, it's pretty old and we have some new options nowadays but it's clear and brief.

HTH

Rolf

###

Somehow the links I tried do not work at all, just search for "snac cisco switch security configuration guide"!

###

mahmoodmkl
Level 7
Level 7

‎12-29-2012 02:57 AM

Hi
i think its both

Sent from Cisco Technical Support iPhone App

Dr.X
Level 2
Level 2
In response to mahmoodmkl

‎12-29-2012 03:27 AM

thanks both .

regards

0 Helpful

Dr.X
Level 2
Level 2
In response to Dr.X

‎12-29-2012 03:33 AM

hi , miss to ask ,

about the aging time

is the agin time in port security is the mac of mac learning

or

it is the time to recover from err-diabled if the violation occurred???

regards

0 Helpful

mahmoodmkl
Level 7
Level 7
In response to Dr.X

‎12-29-2012 06:54 AM

Hi,

Its the mac learning duration.

Rolf Fischer
Level 9
Level 9
In response to mahmoodmkl

‎12-29-2012 12:08 PM

Right, and the time to recover from err-disabled state can be changed by

errdisable recovery interval <30-86400>

Default is 300 seconds.

Also make sure that auto recovery is configured for err-disabled caused by port-security violations:

errdisable recovery cause psecure-violation

Regarding the aging time I found another discusion here:

https://supportforums.cisco.com/thread/2125949

Peter Paluch gives a great explanation here (like he always does...).

Best regards,

Rolf

Dr.X
Level 2
Level 2
In response to Rolf Fischer

‎12-29-2012 10:25 PM 

fischer.rolf wrote:
Right, and the time to recover from err-disabled state can be changed by
errdisable recovery interval <30-86400>
Default is 300 seconds.
Also make sure that auto recovery is configured for err-disabled caused by port-security violations:
errdisable recovery cause psecure-violation
Regarding the aging time I found another discusion here:
https://supportforums.cisco.com/thread/2125949
Peter Paluch gives a great explanation here (like he always does...).
Best regards,
Rolf

great , but whats the difference between the agin time of the mac address table  and the gaing time in port security ??im confused about them

regards

0 Helpful

Rolf Fischer
Level 9
Level 9
In response to Dr.X

‎12-30-2012 01:58 AM

I must agree it's somewhat confusing. How about that:

Default PS aging ist

type = absolute

time = 0 (which means never)

That means, once learned, a secure MAC address remains assigned to a port until the port changes to down-state. Thus, a proper operation depends on link status changes. If you remove a edge device, the secure MAC address will be flushed and a new one can be learned.

But if you use a media convertor or an unmanaged switch or something like that, you should change the timer because removing an edge device will normally not result in a link status change.

To achieve a PS aging more or less similar to CAM table aging, you can set

type =  inactivity

time = 5 minutes

Best regards,

Rolf

Dr.X
Level 2
Level 2
In response to Rolf Fischer

‎12-30-2012 02:04 AM 

fischer.rolf wrote:
I must agree it's somewhat confusing. How about that:
Default PS aging ist
type = absolute
time = 0 (which means never)
That means, once learned, a secure MAC address remains assigned to a port until the port changes to down-state.
So if you change the edge device, the secure MAC address will be flushed and a new one can be learned.
If you use a media convertor or an unmanaged switch, you should change the timer because removing an edge device will normally not result in a link status change.
To achieve a PS aging more or less similar to CAM table aging, you can set
type =  inactivity
time = 5 minutes
Best regards,
Rolf

hi Rolf , im really appreciating your help

you gave me a good explanation

=====

thnkx

=====

regards

Ahmad

0 Helpful

Rolf Fischer
Level 9
Level 9
In response to Dr.X

‎12-30-2012 02:10 AM

Your're welcome!

0 Helpful

NormMuelleman
Level 1
Level 1
In response to Rolf Fischer

‎12-30-2012 10:14 AM

Rolf:

I have a question about yoru reply on this topic. I'm curious to know why you would do port-security violation restrict, vs the cisco preferred method of the default, which in this case is violation shutdown. With restrict, no snmp trap is sent, so there may be no way for the admins to know that something is going on with that port/switch. With shutdown, you'll get the snmp trap hit.

Just curious...myself, I prefer shutdown. I dont want any chance that someone doing something nefarious can get in...

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to NormMuelleman

‎12-30-2012 12:45 PM

hi,

protect mode only drop prohibited frames but restrict does send a syslog message and a snmp trap.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card