Solved: Switchport Security Aging Command

Waterbird · ‎12-17-2018

I'm familiar with the switchport aging command and it's options:

#switchport port-security aging {static | time time type {absolute | inactivity}}
- Static keyword: enables aging for statically configured secure addresses on this port
- Time time keyword: specifies the aging time for this port. 0 means aging is disabled
- Type absolute: all the secure addresses on this port age out at exactly the time specified
- Type inactivity: age out only if no data traffic for time period

I'm having trouble understanding specific cases of when you would use this command how the command options would be used in various cases. The Cisco literature only stated the following use cases:

"Use aging to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses
Aging time limits can also be increased to ensure past secure MAC addresses remain, even while new MAC addresses are added"

I have trouble grasping these use cases. I just don't understand what they are saying after reading these sentences over and over again. Can someone please expound a little?

Simon Darlington · ‎12-17-2018

"Use aging to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses"

If port-security is enabled, aging is disabled by default. Let's assume a use case where we just have the default of maximum 1 mac address that's dynamically learned. Once it's learned that's it - any other addresses in this scenario that are seen on this port are not learnt and further are subject to violation treatments.

This dynamically learned mac address will only get deleted if the port goes down or is shutdown (side note: static and sticky would not get deleted here), following which the mac address of the device that's connected when the port comes up will be re-learnt dynamically as the secure mac address.

If the port doesn't go down, then aging represents a configurable timer that can be set to delete dynamically learnt mac addresses. Absolute will delete the mac address after a set period of time following it initially being learnt; inactivity will delete the mac address after a set period of time under the condition that no traffic is seen from this mac-address.

In the real world if we have an port with a max of 1 allowed addresses, then you may say that if the port has stayed up then there's a fair chance that the mac-address re-learnt after aging will be the same device, particularly on an edge port! So what's the point of adding the optional aging mechanism to ports where the mac address is learned dynamically? I guess this is more useful where you may have a non-edge port with a switch or hub attached where there's a requirement to allow a number of mac-addresses to connect and you have increased the port-security maximum number of addresses allowed accordingly. Aging provides a refresh mechanism to ensure these are flushed without potentially causing violations.

Hope this helps. Please rate if it does.

View solution in original post

Simon Darlington · ‎12-18-2018

"Aging time limits can also be increased to ensure past secure MAC addresses remain, even while new MAC addresses are added"

Cisco term "secure" in this context as meaning mac addresses that are successfully added by any method - static, dynamic, dynamic sticky - the port doesn't care. Once the maximum allowed number of "secure" mac-addresses is reached, no more will be added. Any more will be in violation of port-security on that particular port.

You're right re aging-time. In the use case where we have a non-edge port with multiple devices that come and go, previously seen mac addresses can be held in the port-security list of secure addresses some time after they have been added. The maximum aging time before the secure addresses will "expire" is 24 hours - 1440 minutes. Provided the maximum allowed number of secure addresses has not been reached, then new mac addresses seen will also be added to the secure list.

Using port-security to secure the edge at layer 2 and effectively whitelist mac-addresses that are allowed on the network has the potential to lead to manual interventions and administrative overhead. Optional features like aging allow some trade-off of this overhead at the expense of allowing "new" devices to connect to the network. It's horses for courses - for example if you have a business with largely static workstations at the edge then port-security may be seen as part of the overall security of the network. Many customers I've worked with choose not to implement this feature as they are interested in device mobility and there are now more sophisticated ways of securing the edge such as Cisco ISE.

View solution in original post

balaji.bandi · ‎12-17-2018

MAC Address Aging

Aging can be configured so that the addresses expire after a certain amount of time has passed.

example : if you configure 3min of aging time, with type inactivity.

if there is no activity on that port for 3min the old device mac address purged and new device can use that port.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Simon Darlington · ‎12-17-2018

"Use aging to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses"

If port-security is enabled, aging is disabled by default. Let's assume a use case where we just have the default of maximum 1 mac address that's dynamically learned. Once it's learned that's it - any other addresses in this scenario that are seen on this port are not learnt and further are subject to violation treatments.

This dynamically learned mac address will only get deleted if the port goes down or is shutdown (side note: static and sticky would not get deleted here), following which the mac address of the device that's connected when the port comes up will be re-learnt dynamically as the secure mac address.

If the port doesn't go down, then aging represents a configurable timer that can be set to delete dynamically learnt mac addresses. Absolute will delete the mac address after a set period of time following it initially being learnt; inactivity will delete the mac address after a set period of time under the condition that no traffic is seen from this mac-address.

In the real world if we have an port with a max of 1 allowed addresses, then you may say that if the port has stayed up then there's a fair chance that the mac-address re-learnt after aging will be the same device, particularly on an edge port! So what's the point of adding the optional aging mechanism to ports where the mac address is learned dynamically? I guess this is more useful where you may have a non-edge port with a switch or hub attached where there's a requirement to allow a number of mac-addresses to connect and you have increased the port-security maximum number of addresses allowed accordingly. Aging provides a refresh mechanism to ensure these are flushed without potentially causing violations.

Hope this helps. Please rate if it does.

Waterbird · ‎12-18-2018

The use case you mention of a switch connected to a switch or hub is a good example where you might want an aging mechanism to flush old dynamically learned addresses and as a violation prevention strategy. So in this specific use case, let's see if I can interpret what Cisco means here: "Use aging to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses". So in your scenario we are "using agin gto remove" the addresses without having to manually flush with a shutdown command, or manually reconfigure. I believe the aging command applies only to dynamically learned, so I guess this explains the first Cisco quotation.

Let's see about the next one: "Aging time limits can also be increased to ensure past secure MAC addresses remain, even while new MAC addresses are added"

I'm not sure I understand here what Cisco is getting at. Does the term "secure" MAC address refer only to static, or only to dynamic, or both? I suppose increasing aging time would allow for longer storage of past addresses, while still allowing new ones to be added, until you reach the limit.

Simon Darlington · ‎12-18-2018

"Aging time limits can also be increased to ensure past secure MAC addresses remain, even while new MAC addresses are added"

Cisco term "secure" in this context as meaning mac addresses that are successfully added by any method - static, dynamic, dynamic sticky - the port doesn't care. Once the maximum allowed number of "secure" mac-addresses is reached, no more will be added. Any more will be in violation of port-security on that particular port.

You're right re aging-time. In the use case where we have a non-edge port with multiple devices that come and go, previously seen mac addresses can be held in the port-security list of secure addresses some time after they have been added. The maximum aging time before the secure addresses will "expire" is 24 hours - 1440 minutes. Provided the maximum allowed number of secure addresses has not been reached, then new mac addresses seen will also be added to the secure list.

Using port-security to secure the edge at layer 2 and effectively whitelist mac-addresses that are allowed on the network has the potential to lead to manual interventions and administrative overhead. Optional features like aging allow some trade-off of this overhead at the expense of allowing "new" devices to connect to the network. It's horses for courses - for example if you have a business with largely static workstations at the edge then port-security may be seen as part of the overall security of the network. Many customers I've worked with choose not to implement this feature as they are interested in device mobility and there are now more sophisticated ways of securing the edge such as Cisco ISE.

Waterbird · ‎12-21-2018

One follow up question about your comment, where you said:

"Cisco term "secure" in this context as meaning mac addresses that are successfully added by any method - static, dynamic, dynamic sticky - the port doesn't care."

I noticed on a switch I have that when typing show mac-address ?, that one of the options is "secure". I found that show mac-address secure only outputted static addresses and left out all of the dynamic ones.

If secure at least in the earlier context means any type, but in the show commands only means static, I'm curious if there is any way to further expand on the "secure" term and it's full range of uses and meanings in Cisco port-security terminology.

One other point: I saw an instructor define aging as a way to define how long dynamically learned addresses are secure. He also notes it can be used for static as well but this is rarely done.

So this seems to imply that dynamic and static addresses can be considered secure or insecure. What is an insecure mac-address? Versus a secure one?