Switch port security aging static MAC

Azhar Munawar · ‎04-02-2013

Dear All,

I enabled port security with maximum MAC 1 with aging timeout 1 min

also run switchport port-security aging static

When I disconnected pc from that port it should remove sticky MAC address from that port after aging time expired but its not working

Here is the configuration of access port:

switchport access vlan 2

switchport mode access

switchport port-security maximum 1

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0040.8cc3.2912
switchport port-security aging static

switchport port-security aging time 1

switchport port-security aging type inactivity

spanning-tree portfast

spanning-tree bpduguard enable

Is there any configuration is missing ?

Regards,

Azhar

acampbell · ‎04-02-2013

Azhar,

Not sure which type of switch or IOS your are using.

However just looking at a 6500 document for 12.2SX

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html#wp1055928

Configuring Secure MAC Address Aging on a Port

When the aging type is configured with the absolute keyword, all the dynamically learned secure addresses age out when the aging time expires. When the aging type is configured with the inactivity keyword, the aging time defines the period of inactivity after which all the dynamically learned secure addresses age out.

Note Static secure MAC addresses and sticky secure MAC addresses do not age out

So you cannot use aging with SECURE static or sticky MAC address

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.

Azhar Munawar · ‎04-02-2013

Dear Alex,

Thanks for your comments actully I want to achive aging timeout on static or sticky MAC address as you said its not possible.

Thanks for your expert advice.

Another thing is that if I configured static MAC, enable sticky feature on port it will allow same MAC address to communicate on another port until and unless we clear sticky mac from perticular interface.

My question is that how can we verify MAC address is aged out because when we disconnect cable from one port mac and address table does not show any MAC on that interface.

Does it save previous MAC address until aged out? and if we allow one MAC on that interface it will block that interface if another MAC try to communicate on same interface?

Regards,

Azhar

Azhar Munawar · ‎04-02-2013

Dear Alex,

I am using this IOS.

SW#sh ver

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE5, REL EASE

ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44r)SE1, RELEASE SOFTWAR E (fc2)

Regards,

Azhar

blau grana · ‎04-02-2013

Hello Azhar,

Can you show output of

# show port-security interface xyz

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Azhar Munawar · ‎04-02-2013

Dear Grana,

Here is the required output:

SW#sh port-security int fa0/1

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Restrict

Aging Time : 1 mins

Aging Type : Absolute

SecureStatic Address Aging : Enabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 848f.69f7.e853:2

Security Violation Count : 61

SW#sh int statu

Port Name Status Vlan Duplex Speed Type

Fa0/1 notconnect 2 auto auto 10/100BaseTX

Fa0/2 connected 2 a-full a-100 10/100BaseTX

Fa0/3 connected 8 a-full a-100 10/100BaseTX

SW#

InayathUlla Sharieff · ‎04-02-2013

HI Azar,

I got one bug CSCdr96565 but didnt do much research on this. Kinldy have a look.

Regards

Inayath