Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4207
Views
0
Helpful
12
Replies

switchport port security commands - help

carl_townshend
Spotlight
Spotlight

‎11-29-2010 07:37 AM - edited ‎03-06-2019 02:15 PM

Hi all

with port security,

if I entered the command switchport port-security mac-address xxxx.xxxx.xxxx

what does this actually do? as I hear it does not go into the running config, I know that it was sticky is for. If I put in a mac address, will it age out like a dynamically learned one would ?

cheers

Carl

Labels:
0 Helpful
12 Replies 12

Mohamed Sobair
Level 7
Level 7

‎11-29-2010 07:49 AM

Carl,

Any Learned Mac address by a switchport is aged out after the Max age timer of the CAM table expires, this applies whether Port Security is configured or not.

However, If you have Port Security with Static Mac entry, the port validate the mac address recieved , if its not the same of the configured , then the port will immediately be in shut down as the default violation Action is shutdown when port Security is configured.

HTH

Mohamed

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Mohamed Sobair

‎11-29-2010 07:56 AM

Hi Mohamed,

Any Learned Mac address by a switchport is aged out after the Max age 
timer of the CAM table expires, this applies whether Port Security is 
configured or not.

Are you sure about this one? For what I know is that secure MAC addresses (dynamic, static or sticky) are displayed as static in the show mac address-table command output, and I have a feeling they do not undergo the usual CAM table aging process. They are either removed from the CAM table after the port is disconnected, or if the port-security aging is configured.

Not quite sure about this either but this is what I have thought of it so far.

Best regards,

Peter

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee

‎11-29-2010 07:53 AM

Hi Carl,

The switchport port-security mac-address XXXX.XXXX.XXXX creates a statically defined secure MAC address. It will be placed both into the running-config and into the MAC address table, and of course if you store the configuration, it will be saved in the startup-config and loaded when the switch reboots.

Static secure MAC address do not age until you configure the port using the command switchport port-security aging static (at least I hope that is the correct syntax ). If that command is configured, static secure MAC addresses age out just like ordinary dynamic secure MAC addresses.

The difference between sticky and static secure MAC address is that the sticky address get learned automatically, and is put into running-config. Static secure MAC address must be configured manually - it will not be learned automatically - but it will be also placed into the running-config.

For more info, read this document:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swtrafc.html#wp1090376

Best regards,

Peter

0 Helpful

Mohamed Sobair
Level 7
Level 7
In response to Peter Paluch

‎11-29-2010 08:03 AM

Hi Peter,

This is true if you have aging static configured for the port security, but if you dont have this option configured, Are you quite sure that the Static Mac address wont age , I wasnt able to find this sentence in the document you have provided.

HTH

Mohamed

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to Mohamed Sobair

‎11-29-2010 08:15 AM

hi

i got this from a ccie blog

Another thing to keep in mind is: the command switchport port-security mac-address by itself will not get the configured MAC Address into the running-configuration of your switch. If you issue a show switchport port-security you´ll see the configured MAC  there, but not in the show run!

In order to have it in your running configuration, you have to use the STICKY keyword: switchport port-security mac-address sticky that way, the configured MAC Address  will appear at the running-configuration, and of course, you´ll be able to save it! If you do not specify any MAC Addresses after the STICKY keyword, the switch will dynamically learn the attached MAC Address and place it into your running-configuration

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to carl_townshend

‎11-29-2010 08:39 AM

Carl,

That post from the ccie blog is wrong. Consider the reply I have posted to Mohamed with excerpts of my configuration. There is no magic there, just a simple static secure MAC - and as you can see, no sticky keyword. The sticky learning is simply a hybrid between a dynamic and a static secure MAC. A dynamic secure MAC gets learned dynamically and sits in CAM but not in running-config. A static secure MAC gets configured manually, and sits both in CAM and in running-config. A sticky secure MAC gets learned dynamically (like dynamic secure MAC) and sits both in CAM and in running-config (like static secure MAC). As simple as that.

Best regards,

Peter

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Mohamed Sobair

‎11-29-2010 08:35 AM

Hi Mohamed,

I've made a quick test in our lab. I have configured the Fa0/1 as follows:

Switch#show run int fa0/1
Building configuration...
Current configuration : 311 bytes
!
interface FastEthernet0/1
 switchport mode access
 switchport port-security maximum 5
 switchport port-security
 switchport port-security aging time 10
 switchport port-security aging type inactivity
 switchport port-security aging static
 switchport port-security mac-address 0200.0001.0002 vlan access
end

I have connected a hub to the Fa0/1 to keep the interface up and running. I have furthermore shortened the CAM aging time to 30 seconds:

Switch#show mac address-table aging-time
Global Aging Time:   30
Vlan    Aging Time
----    ----------
Switch#

Then, I have connected a device to the hub (just some another switch) and allowed my switch to learn its MAC address(es) as dynamic MAC. Now, consider this output:

Switch#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/1              5            3                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 2
Max Addresses limit in System (excluding one mac per port) : 8192
Switch#show port-security address
          Secure Mac Address Table
--------------------------------------------------------------------------
Vlan    Mac Address       Type                       Ports   Remaining Age
                                                                (mins)
----    -----------       ----                       -----   -------------
   1    001d.e5bc.0596    SecureDynamic              Fa0/1        4 (I)
   1    001d.e5bc.05c0    SecureDynamic              Fa0/1        4 (I)
   1    0200.0001.0002    SecureConfigured           Fa0/1        4 (I)
--------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 2
Max Addresses limit in System (excluding one mac per port) : 8192
Switch#show port-security int fa0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 10 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Enabled
Maximum MAC Addresses      : 5
Total MAC Addresses        : 3
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 001d.e5bc.0596:1
Security Violation Count   : 0

Switch#show mac address-table secure
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    001d.e5bc.0596    STATIC      Fa0/1
   1    001d.e5bc.05c0    STATIC      Fa0/1
   1    0200.0001.0002    STATIC      Fa0/1
Total Mac Addresses for this criterion: 3

Note that there are 2 secure dynamic and 1 static secure MAC address recognized on the port. All of them show up as static in the MAC address table listing and they are present. Note that despite the fact that the aging time for CAM entries is 30 seconds, these addresses are identified as having 4 minutes yet to age out, indicating that they have been stored in the CAM much longer than 30 seconds though they are still there (actually, they have been present in the CAM for 6 minutes because the aging configured for secure MAC addresses is set to 10 minutes, as you can see in my config). From this it follows that for secure MAC addresses, the usual CAM aging time does not apply.

In addition, the Reference Guide for mac address-table aging command at the URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/command/reference/cli1.html#wp11902511

suggests: "Use the mac address-table aging-time global configuration command to set the length of time that a dynamic  entry remains in the MAC address table after the entry is used or  updated." Thus, as the secure MAC addresses (no matter whether dynamic, sticky or static secure) are identified as static in MAC address table, this aging does not apply to them.

Best regards,

Peter

0 Helpful

Mohamed Sobair
Level 7
Level 7
In response to Peter Paluch

‎11-29-2010 08:52 AM

Hi Peter,

Thanks for coming back with a test result and this actually confirm my understanding, however , I was much concern about aging time of a port security mac without specifying the bellow commands on the port:

switchport port-security aging time 10
switchport port-security aging static

Could you please run the test back without entering those commands with a global Switch aging time of 30 , and come back with a result if it ages due to the global Swich CAM table aging time or not?

Thanks again,

Mohamed

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Mohamed Sobair

‎11-29-2010 09:11 AM

Hello Mohamed,

Currently, the switch is configured as follows:

interface FastEthernet0/1
 switchport mode access
 switchport port-security maximum 5
 switchport port-security
 switchport port-security aging type inactivity
 switchport port-security mac-address 0200.0001.0002 vlan access
!
mac address-table aging-time 30

Again, I've configured one static secure MAC and let the switch learn some new secure MAC address dynamically on the port. These are the results after waiting at least 1-2 minutes after only the hub was connected to the port and no more traffic was hitting the Fa0/1:

Switch#show mac address-table aging
Global Aging Time:   30
Vlan    Aging Time
----    ----------
Switch#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/1              5            3                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 2
Max Addresses limit in System (excluding one mac per port) : 8192
Switch#show port-security address
          Secure Mac Address Table
--------------------------------------------------------------------------
Vlan    Mac Address       Type                       Ports   Remaining Age
                                                                (mins)
----    -----------       ----                       -----   -------------
   1    001d.e5bc.0581    SecureDynamic              Fa0/1        -
   1    001d.e5bc.0582    SecureDynamic              Fa0/1        -
   1    0200.0001.0002    SecureConfigured           Fa0/1        -
--------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 2
Max Addresses limit in System (excluding one mac per port) : 8192
Switch#show port-security int fa0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 5
Total MAC Addresses        : 3
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 001d.e5bc.0582:1
Security Violation Count   : 0

Switch#show mac address-table secure
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    001d.e5bc.0581    STATIC      Fa0/1
   1    001d.e5bc.0582    STATIC      Fa0/1
   1    0200.0001.0002    STATIC      Fa0/1
Total Mac Addresses for this criterion: 3
Switch#

The secure MAC addresses remained in the CAM and did not age out. Note that the show port-sec int fa0/1 command states that the "Aging Time" is 0 minutes, suggesting a disabled aging, and the show port-sec address command contains a hyphen "-" in the "Remaining Age" field, confirming that the aging is not an issue here.

Best regards,

Peter

0 Helpful

Mohamed Sobair
Level 7
Level 7
In response to Peter Paluch

‎11-29-2010 12:26 PM

Hi Peter,

Good to know, I actually have no access to LAB now, but I would Lab it up my self and check the output as well.

Thanks,

Regards,

Mohamed

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Mohamed Sobair

‎11-29-2010 12:32 PM

Mohamed,

Trusting but verifying Sure, go on.

Best regards,

Peter

0 Helpful

Mohamed Sobair
Level 7
Level 7
In response to Peter Paluch

‎11-29-2010 12:54 PM

Peter,

I trust your output and verfication. I will just do it for my own learning,

Mohamed

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card