Re: switchport port-security aging time

From: Ronnie Angello (ronnie.angello@gmail.com)
Date: Wed Jan 03 2007 - 00:33:45 ART

• Next message: Chee Chew Leong: "Re: switchport port-security aging time"
• Previous message: Michy Eika: "RE: IP WCCP"
• Maybe in reply to: Ronnie Angello: "Re: switchport port-security aging time"
• Next in thread: Chee Chew Leong: "Re: switchport port-security aging time"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Scott. The wording of the Doc CD is accurate. My wording was a bit
off! So to clarify the answer to the original question...

No, the aging time is applicable to both static and dynamic secure addresses
(SecureConfigured and SecureDynamic). Correct, it does not apply to sticky
learned secure addresses (SecureSticky).

Cool, now we are all experts on port security aging time!

On 1/2/07, Scott Morris <swm@emanon.com> wrote:
>
> Sticky and static are different pieces.
>
> Static is something you pre-define into a table (and actually I did this
> and watched one age out, so it doens't work like arp's!).
>
> Sticky is when you want to commit the table into the saved configuration
> in case of a reboot, which (contrary to wording on DocCD) will work for
> static or dynamic learned MAC addresses.
>
> So, logically, if you commit something to the saved configuration, aging
> would have a difficult time applying there.
>
> In the case of normal usage (non-sticky) then aging time DOES apply to
> both dynamic and static defined addresses.
>
> HTH,
>
>
> Scott Morris, *CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
> #153**, CISSP, et al.*
> *CCSI/JNCI-M/JNCI-J*
> IPexpert VP - Curriculum Development
> IPexpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com
>
>
> ------------------------------
> *From:* Ronnie Angello [mailto:ronnie.angello@gmail.com]
> *Sent:* Tuesday, January 02, 2007 9:37 PM
> *To:* swm@emanon.com
> *Cc:* Chee Chew Leong; ccielab@groupstudy.com; JB; nobody@groupstudy.com
> *Subject:* Re: switchport port-security aging time
>
>
> That would make perfect sense but it only works for secure addresses that
> have been statically configured (at least on the Cat 3550 and 3560). From
> the Cat 3550 and 3560 config guides...
>
> The switch does not support port security aging of sticky secure MAC
> addresses.
>
> While it probably wouldn't prevent support calls, you can achieve similar
> functionality by manually clearing the sticky address before the new student
> can get access to the network.
>
> Ronnie
> On 1/2/07, Scott Morris <swm@emanon.com> wrote:
> >
> > Aging time applies specifically to dynamically learned ones. That way,
> > say
> > in a campus environment, you have one student leave and you don't have
> > to
> > wait three weeks before another one is allowed on. All of this is a
> > balance
> > of security and convenience (e.g. less support calls!).
> >
> > I haven't tested to see whether it applies to statically defined ones as
> >
> > well, but my guess would be no. Just like arp timers.
> >
> > HTH,
> >
> >
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> > JNCIE
> > #153, CISSP, et al.
> > CCSI/JNCI-M/JNCI-J
> > IPexpert VP - Curriculum Development
> > IPexpert Sr. Technical Instructor
> > smorris@ipexpert.com
> > http://www.ipexpert.com
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Chee
> > Chew Leong
> > Sent: Tuesday, January 02, 2007 8:10 PM
> > To: Scott Morris
> > Cc: ccielab@groupstudy.com; 'JB'; nobody@groupstudy.com; 'Ronnie
> > Angello'
> > Subject: RE: switchport port-security aging time
> >
> > Just to add on, the time out only applicable to statically configure max
> >
> > address. It does not applicable to sticky learned.
> >
> > Am I write?
> >
> >
> >
> >
> >
> >
> >
> > "Scott Morris" <swm@emanon.com>
> > Sent by: nobody@groupstudy.com
> > 12/30/2006 10:56 PM
> > Please respond to
> > "Scott Morris" <swm@emanon.com>
> >
> >
> > To
> > "'JB'" < jellyboy@gmail.com>, "'Ronnie Angello'" <
> > ronnie.angello@gmail.com>
> > cc
> > <ccielab@groupstudy.com >
> > Subject
> > RE: switchport port-security aging time
> >
> >
> >
> >
> >
> >
> > Well... The absolute time would be based on when the address is
> > learned.
> > The inactivity time would be based on when traffic was last received
> > from
> > that learned address.
> >
> > HTH,
> >
> >
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> > JNCIE
> > #153, CISSP, et al.
> > CCSI/JNCI-M/JNCI-J
> > IPExpert VP - Curriculum Development
> > IPExpert Sr. Technical Instructor
> > smorris@ipexpert.com
> > http://www.ipexpert.com
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > JB
> > Sent: Saturday, December 30, 2006 4:15 AM
> > To: Ronnie Angello
> > Cc: ccielab@groupstudy.com
> > Subject: Re: switchport port-security aging time
> >
> > Hi, Thanks for the reply. Would any event start this aging process or is
> > it
> > as soon as the mac address is learned? I see there are 2 options
> > absolute
> > <default> and inactivity.
> >
> > JB
> >
> > On 12/29/06, Ronnie Angello <ronnie.angello@gmail.com> wrote:
> > > It would set the aging time for all secure addresses on the port.
> > >
> > >
> > > On 12/29/06, JB <jellyboy@gmail.com> wrote:
> > > >
> > > > Hi All, I'm a bit stuck on this one- what the switchport
> > > > port-security aging time command does exactly? I am thinking along
> > > > the lines of it being used:
> > > >
> > > >
> > > > interface FastEthernet0/7
> > > > switchport access vlan 5
> > > > switchport mode access
> > > > switchport port-security
> > > > switchport port-security maximum 2
> > > > switchport port-security aging time 1
> > > >
> > > > This would allow 2 macs to be allowed on port 7. If one mac was
> > > > deleted, then then another could be learned after an absolute time
> > > > of
> > > > 1 minute. Am I correct or got the functionality way off the mark?
> > > >
> > > > TIA,
> > > >
> > > > JB
> > > >
> > > >
> > > ______________________________________________________________________
> >
> > > _
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: Chee Chew Leong: "Re: switchport port-security aging time"
• Previous message: Michy Eika: "RE: IP WCCP"
• Maybe in reply to: Ronnie Angello: "Re: switchport port-security aging time"
• Next in thread: Chee Chew Leong: "Re: switchport port-security aging time"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:55 ART