12-29-2012 01:45 AM - edited 03-07-2019 10:49 AM
hi , i have a confusing in a point
now assume i typed
int f0/0
switchport port-security
switchport maximum 10
=======================
by default the switch will learn the mac address and if it learned 11 the port will go into error disabled and this i understood it
but
what is the difference if i typed :
int f0/0
switchport port-security
switchport maximum 10
switchport port-security mac-address sticky
=======================
i also read that mac-address sticky will learn the mac dynamicly
so whats the differnece between the two methods which i typed ???
does that mean that
mac-address sticky
is enabled by default on the switch ??
regards
12-29-2012 01:55 AM
With the sticky-option the entries do not age out and become part of the port's config automatically (you can also configure them manually if needed).
Without sticky the MAC addresses of the edge devices do not matter, as long as the maximum is not exceeded.
HTH
Rolf
12-29-2012 02:21 AM
hi Rolf ,
do you think without sticky , there is an agining time ??? whats the aging time ??
====================
anohter question
if i configured maximum number of 10 mac address
and i configured 11 mac static with the command :
switchport port-security mac-address xxxxxxxx
will the port will go to error disable ???
i mean the number of allowed macs , does it include both static & dynamic or only dynamic ???
regards
12-29-2012 03:21 AM
There are some options I normally like to change from the defaults when using port-security:
- violation mode (restrict)
- aging type (inactivity)
- aging time (5 min)
Of course, there's plenty of documentation in cisco.com, but for a quick overview I still like this document:
OK, it's pretty old and we have some new options nowadays but it's clear and brief.
HTH
Rolf
###
Somehow the links I tried do not work at all, just search for "snac cisco switch security configuration guide"!
###
12-29-2012 02:57 AM
Hi
i think its both
Sent from Cisco Technical Support iPhone App
12-29-2012 03:27 AM
thanks both .
regards
12-29-2012 03:33 AM
hi , miss to ask ,
about the aging time
is the agin time in port security is the mac of mac learning
or
it is the time to recover from err-diabled if the violation occurred???
regards
12-29-2012 06:54 AM
Hi,
Its the mac learning duration.
12-29-2012 12:08 PM
Right, and the time to recover from err-disabled state can be changed by
errdisable recovery interval <30-86400>
Default is 300 seconds.
Also make sure that auto recovery is configured for err-disabled caused by port-security violations:
errdisable recovery cause psecure-violation
Regarding the aging time I found another discusion here:
https://supportforums.cisco.com/thread/2125949
Peter Paluch gives a great explanation here (like he always does...).
Best regards,
Rolf
12-29-2012 10:25 PM
fischer.rolf wrote:
Right, and the time to recover from err-disabled state can be changed by
errdisable recovery interval <30-86400>
Default is 300 seconds.
Also make sure that auto recovery is configured for err-disabled caused by port-security violations:
errdisable recovery cause psecure-violation
Regarding the aging time I found another discusion here:
https://supportforums.cisco.com/thread/2125949
Peter Paluch gives a great explanation here (like he always does...).
Best regards,
Rolf
great , but whats the difference between the agin time of the mac address table and the gaing time in port security ??im confused about them
regards
12-30-2012 01:58 AM
I must agree it's somewhat confusing. How about that:
Default PS aging ist
type = absolute
time = 0 (which means never)
That means, once learned, a secure MAC address remains assigned to a port until the port changes to down-state. Thus, a proper operation depends on link status changes. If you remove a edge device, the secure MAC address will be flushed and a new one can be learned.
But if you use a media convertor or an unmanaged switch or something like that, you should change the timer because removing an edge device will normally not result in a link status change.
To achieve a PS aging more or less similar to CAM table aging, you can set
type = inactivity
time = 5 minutes
Best regards,
Rolf
12-30-2012 02:04 AM
fischer.rolf wrote:
I must agree it's somewhat confusing. How about that:
Default PS aging ist
type = absolute
time = 0 (which means never)
That means, once learned, a secure MAC address remains assigned to a port until the port changes to down-state.
So if you change the edge device, the secure MAC address will be flushed and a new one can be learned.
If you use a media convertor or an unmanaged switch, you should change the timer because removing an edge device will normally not result in a link status change.
To achieve a PS aging more or less similar to CAM table aging, you can set
type = inactivity
time = 5 minutes
Best regards,
Rolf
hi Rolf , im really appreciating your help
you gave me a good explanation
=====
thnkx
=====
regards
Ahmad
12-30-2012 02:10 AM
Your're welcome!
12-30-2012 10:14 AM
Rolf:
I have a question about yoru reply on this topic. I'm curious to know why you would do port-security violation restrict, vs the cisco preferred method of the default, which in this case is violation shutdown. With restrict, no snmp trap is sent, so there may be no way for the admins to know that something is going on with that port/switch. With shutdown, you'll get the snmp trap hit.
Just curious...myself, I prefer shutdown. I dont want any chance that someone doing something nefarious can get in...
12-30-2012 12:45 PM
hi,
protect mode only drop prohibited frames but restrict does send a syslog message and a snmp trap.
Regards.
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide