Re: switchport port-security aging time

From: Ronnie Angello (ronnie.angello@gmail.com)
Date: Tue Jan 02 2007 - 23:36:32 ART

• Next message: Scott Morris: "RE: switchport port-security aging time"
• Previous message: Jian Gu: "OSPF path selection"
• Next in thread: Ronnie Angello: "Re: switchport port-security aging time"
• Maybe reply: Ronnie Angello: "Re: switchport port-security aging time"
• Maybe reply: Chee Chew Leong: "Re: switchport port-security aging time"
• Maybe reply: Farrukh Haroon: "Re: switchport port-security aging time"
• Maybe reply: Ronnie Angello: "Re: switchport port-security aging time"
• Maybe reply: Chee Chew Leong: "Re: switchport port-security aging time"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

That would make perfect sense but it only works for secure addresses that
have been statically configured (at least on the Cat 3550 and 3560). From
the Cat 3550 and 3560 config guides...

The switch does not support port security aging of sticky secure MAC
addresses.

While it probably wouldn't prevent support calls, you can achieve similar
functionality by manually clearing the sticky address before the new student
can get access to the network.

Ronnie
On 1/2/07, Scott Morris <swm@emanon.com> wrote:
>
> Aging time applies specifically to dynamically learned ones. That way,
> say
> in a campus environment, you have one student leave and you don't have to
> wait three weeks before another one is allowed on. All of this is a
> balance
> of security and convenience (e.g. less support calls!).
>
> I haven't tested to see whether it applies to statically defined ones as
> well, but my guess would be no. Just like arp timers.
>
> HTH,
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
> #153, CISSP, et al.
> CCSI/JNCI-M/JNCI-J
> IPexpert VP - Curriculum Development
> IPexpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Chee
> Chew Leong
> Sent: Tuesday, January 02, 2007 8:10 PM
> To: Scott Morris
> Cc: ccielab@groupstudy.com; 'JB'; nobody@groupstudy.com; 'Ronnie Angello'
> Subject: RE: switchport port-security aging time
>
> Just to add on, the time out only applicable to statically configure max
> address. It does not applicable to sticky learned.
>
> Am I write?
>
>
>
>
>
>
>
> "Scott Morris" <swm@emanon.com>
> Sent by: nobody@groupstudy.com
> 12/30/2006 10:56 PM
> Please respond to
> "Scott Morris" <swm@emanon.com>
>
>
> To
> "'JB'" <jellyboy@gmail.com>, "'Ronnie Angello'" <ronnie.angello@gmail.com>
> cc
> <ccielab@groupstudy.com>
> Subject
> RE: switchport port-security aging time
>
>
>
>
>
>
> Well... The absolute time would be based on when the address is learned.
> The inactivity time would be based on when traffic was last received from
> that learned address.
>
> HTH,
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
> #153, CISSP, et al.
> CCSI/JNCI-M/JNCI-J
> IPExpert VP - Curriculum Development
> IPExpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of JB
> Sent: Saturday, December 30, 2006 4:15 AM
> To: Ronnie Angello
> Cc: ccielab@groupstudy.com
> Subject: Re: switchport port-security aging time
>
> Hi, Thanks for the reply. Would any event start this aging process or is
> it
> as soon as the mac address is learned? I see there are 2 options absolute
> <default> and inactivity.
>
> JB
>
> On 12/29/06, Ronnie Angello <ronnie.angello@gmail.com> wrote:
> > It would set the aging time for all secure addresses on the port.
> >
> >
> > On 12/29/06, JB <jellyboy@gmail.com> wrote:
> > >
> > > Hi All, I'm a bit stuck on this one- what the switchport
> > > port-security aging time command does exactly? I am thinking along
> > > the lines of it being used:
> > >
> > >
> > > interface FastEthernet0/7
> > > switchport access vlan 5
> > > switchport mode access
> > > switchport port-security
> > > switchport port-security maximum 2
> > > switchport port-security aging time 1
> > >
> > > This would allow 2 macs to be allowed on port 7. If one mac was
> > > deleted, then then another could be learned after an absolute time
> > > of
> > > 1 minute. Am I correct or got the functionality way off the mark?
> > >
> > > TIA,
> > >
> > > JB
> > >
> > >
> > ______________________________________________________________________
> > _
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Scott Morris: "RE: switchport port-security aging time"
• Previous message: Jian Gu: "OSPF path selection"
• Next in thread: Ronnie Angello: "Re: switchport port-security aging time"
• Maybe reply: Ronnie Angello: "Re: switchport port-security aging time"
• Maybe reply: Chee Chew Leong: "Re: switchport port-security aging time"
• Maybe reply: Farrukh Haroon: "Re: switchport port-security aging time"
• Maybe reply: Ronnie Angello: "Re: switchport port-security aging time"
• Maybe reply: Chee Chew Leong: "Re: switchport port-security aging time"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:55 ART