switchport port-security aging static

Jessica-Brown-2000 · ‎01-13-2025

Good afternoon.
Can you tell me how to set up switchport port-security aging static?
I can't figure out where to apply it.

In particular, two configurations are shown below:
vios_l2_Switch_2#show running-config interface gigabitEthernet 0/1
Building configuration...

Current configuration : 202 bytes
!
interface GigabitEthernet0/1
switchport access vlan 111
switchport mode access
switchport port-security mac-address 0050.7966.6804
switchport port-security
media-type rj45
negotiation auto
end

vios_l2_Switch_2#
vios_l2_Switch_2#show port-security interface gi0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

vios_l2_Switch_2#

vios_l2_Switch_2#show running-config interface gigabitEthernet 0/1
Building configuration...

Current configuration : 241 bytes
!
interface GigabitEthernet0/1
switchport access vlan 111
switchport mode access
switchport port-security mac-address 0050.7966.6804
switchport port-security aging static
switchport port-security
media-type rj45
negotiation auto
end

vios_l2_Switch_2#show port-security interface gi0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Enabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

vios_l2_Switch_2#

As you can see, the difference between the conclusions is:

1. The SecureStatic Address Aging : Disabled in the output
2. The presence of the string switchport port-security aging static + presence in the SecureStatic Address Aging : Enabled output

It turns out that they are essentially the same, because addresses do not age.
P.S. I'm testing in EVE-NG, on the image of vios_l2 Software (vios_l2-ADVENTERPISEK9-M), Version 15.2(4.0.55)E, TEST ENGINEERING ESTG_WEEKLY BUILD.
There was a glitch with switchport port-security aging type absolute. Maybe there's something wrong here too?

MHM Cisco World · ‎01-13-2025

For sticky with aging I will share which SW support both.

MHM

Jessica-Brown-2000 · ‎01-13-2025

What's the point?
sticky is saved in the device configuration and remains there even after reboot. In other words, sticky is designed for this purpose, so as not to become obsolete.

MHM Cisco World · ‎01-13-2025

To make your lab work do

1- add aging time ""defualt 0"" meaning it not aging.

2- try connect hub between PC and SW and then disconnect PC and check mac address in port secuirty mac table not under interface config

MHM

Jessica-Brown-2000 · ‎01-13-2025

The output is the same in both cases.

vios_l2_Switch_1#sho port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
111 0050.7966.6804 SecureConfigured Gi0/0 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
vios_l2_Switch_1#

MHM Cisco World · ‎01-13-2025

can I see show port sec inter x/x <<- when you enable aging

MHM

Flavio Miranda · ‎01-13-2025

@Jessica-Brown-2000

What do you mean by "I can't figure out where to apply it" ?

Switch(config)# interface interface gi0/1

Switch(config-if)# switchport port-security
[ aging {static | time aging_time | type
{absolute | inactivity} ]

Step 3 Switch(config-if)# end

Jessica-Brown-2000 · ‎01-13-2025

I mean, I don't understand what this command is for. If without it, in my example, the behavior of the equipment is the same.
I want to understand the scenario in which I can apply this command.

Flavio Miranda · ‎01-13-2025

Got it.

If you use only the command "switchport port-security aging static" and considering in your scenario you only tested with one mac address, the result may not be usefull.

You can add more parameters in order to see the results.

SW01(config-if)# switchport port-security aging time 1800
SW01(config-if)# switchport port-security aging type inactivity
SW01(config-if)# switchport port-security aging static

After 1800 seconds, there will be violation and the interface should get into err-disable.

Jessica-Brown-2000 · ‎01-15-2025

SW01(config-if)# switchport port-security aging time 1800
SW01(config-if)# switchport port-security aging type inactivity
These settings are needed so that after 1800 minutes, the mac address from which there was no traffic stops being STATIC.

SW01(config-if)# switchport port-security aging static
This setting (as I understand it) is necessary so that the mac address always remains STATIC.

The question is, why did they come up with the switchport port-security aging static command, if the default switchport port-security aging time is 0.

Flavio Miranda · ‎01-15-2025

@Jessica-Brown-2000

I believe this is meant to create a conditional situation. The static means the mac address will not age out and then you use the aging time to, after XXX seconds, the switch behavior changes and the mac age out again.

Jessica-Brown-2000 · ‎01-15-2025

I made these settings:
vios_l2_Switch_1#show running-config interface gigabitEthernet 0/0 | b int
interface GigabitEthernet0/0
switchport access vlan 111
switchport mode access
switchport port-security maximum 2
switchport port-security violation protect
switchport port-security aging time 2
switchport port-security aging static
switchport port-security
negotiation auto
end

vios_l2_Switch_1#

Everything is OK here:
vios_l2_Switch_1#show mac address-table interface gigabitEthernet 0/0
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
111 0050.7966.6805 STATIC Gi0/0
111 0050.7966.6808 STATIC Gi0/0
Total Mac Addresses for this criterion: 2
vios_l2_Switch_1#

Now the aging time is not decreasing:
vios_l2_Switch_1#show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
111 0050.7966.6805 SecureDynamic Gi0/0 2
111 0050.7966.6808 SecureDynamic Gi0/0 2
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 4096
vios_l2_Switch_1#

vios_l2_Switch_1#show port-security interface gigabitEthernet 0/0
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Protect
Aging Time : 2 mins
Aging Type : Absolute
SecureStatic Address Aging : Enabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0050.7966.6805:111
Security Violation Count : 0

vios_l2_Switch_1#

If I had done that:
vios_l2_Switch_1#show running-config interface gigabitEthernet 0/0 | b int
interface GigabitEthernet0/0
switchport access vlan 111
switchport mode access
switchport port-security maximum 2
switchport port-security violation protect
switchport port-security
negotiation auto
end

vios_l2_Switch_1#

Then the output would look like this:
vios_l2_Switch_1#show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
111 0050.7966.6805 SecureDynamic Gi0/0 -
111 0050.7966.6808 SecureDynamic Gi0/0 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 4096
vios_l2_Switch_1#

In other words, the command is meaningless. Because you can just remove the aging time.

paul driver · ‎01-14-2025

Hello @Jessica-Brown-2000
Looks like you have set aging be it an absolute value (0mins), if you change the aging type or just set an aging value time then you will see that instead in your port readout.

nterface GigabitEthernet0/1
switchport access vlan 111
switchport mode access
switchport port-security mac-address 0050.7966.680
switchport port-security aging time 10
switchport port-security aging type absolute | inactivity
switchport port-security aging static
switchport port-security

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jessica-Brown-2000 · ‎01-15-2025

After reading the answers to my question, I'm starting to think even more that:
switchport port-security mac-address 0050.7966.6804
switchport port-security

and
switchport port-security mac-address 0050.7966.6804
switchport port-security aging static

leads to the same result.

MHM Cisco World · ‎01-15-2025

friend you enable aging only

the timer still show ""0""<<- aging time 0 meaning the aging is infinite

you need to specify time make it 5 sec

MHM