From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Wed Jan 03 2007 - 01:45:11 ART
for the orignal question, by enabling the command 'switchport port-security
aging time' only dynamically learned addresses (SecureDynamic) are aged out
NOT statically defined mac-addrs (SecureConfigured), however to enable aging
for statically defined macs..use the command:
switchport port-security aging static
Verification:
switch#show run | begin interface FastEthernet0/17
interface FastEthernet0/17
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation protect
switchport port-security aging time 1
switchport port-security mac-address 0012.3f60.2ebb
no ip address
!
switch#show run | begin fastethernet 0/17
switch#show port-security int fa 0/17
Port Security : Enabled
Port status : SecureUp
Violation mode : Protect
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Aging time : 1 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 0
switch#show port-security int fa 0/17 addr
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0012.3f60.2ebb SecureConfigured Fa0/17 - (note the
dash)
1 0013.0226.acb9 SecureDynamic Fa0/17 1
-------------------------------------------------------------------
Total Addresses: 2
-------------------------
switch(config)#int fa 0/17
switch(config-if)#switchport port-security aging static
switch#show port-security int fa 0/17
Port Security : Enabled
Port status : SecureUp
Violation mode : Protect
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Aging time : 1 mins
Aging type : Absolute
SecureStatic address aging : Enabled
Security Violation count : 0
switch#show port-security int fa 0/17 addr
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0012.3f60.2ebb SecureConfigured Fa0/17 1
1 0013.0226.acb9 SecureDynamic Fa0/17 1
-------------------------------------------------------------------
Total Addresses: 2
On 1/3/07, Chee Chew Leong <cleong3@csc.com> wrote:
>
> Ooops, getting confuse now.
>
> static defined = switchport port-security mac-address mac_addr
> sticky learned = switchport port-security mac-address sticky mac_addr
> secure dynamic = ???
>
> What is secure dynamic with respect to port-security?
>
> If you read the configuration guide, 3550 and 3560 has different wording.
>
>
>
>
>
>
>
>
>
> "Ronnie Angello" <ronnie.angello@gmail.com>
> Sent by: nobody@groupstudy.com
> 01/03/2007 11:33 AM
> Please respond to
> "Ronnie Angello" <ronnie.angello@gmail.com>
>
>
> To
> swm@emanon.com
> cc
> Chee Chew Leong/ASIA/CSC@CSC, ccielab@groupstudy.com, jellyboy@gmail.com,
> nobody@groupstudy.com
> Subject
> Re: switchport port-security aging time
>
>
>
>
>
>
> Thanks Scott. The wording of the Doc CD is accurate. My wording was a
> bit
> off! So to clarify the answer to the original question...
>
> No, the aging time is applicable to both static and dynamic secure
> addresses
> (SecureConfigured and SecureDynamic). Correct, it does not apply to
> sticky
> learned secure addresses (SecureSticky).
>
> Cool, now we are all experts on port security aging time!
>
>
>
>
> On 1/2/07, Scott Morris <swm@emanon.com> wrote:
> >
> > Sticky and static are different pieces.
> >
> > Static is something you pre-define into a table (and actually I did this
> > and watched one age out, so it doens't work like arp's!).
> >
> > Sticky is when you want to commit the table into the saved configuration
> > in case of a reboot, which (contrary to wording on DocCD) will work for
> > static or dynamic learned MAC addresses.
> >
> > So, logically, if you commit something to the saved configuration, aging
> > would have a difficult time applying there.
> >
> > In the case of normal usage (non-sticky) then aging time DOES apply to
> > both dynamic and static defined addresses.
> >
> > HTH,
> >
> >
> > Scott Morris, *CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE
> > #153**, CISSP, et al.*
> > *CCSI/JNCI-M/JNCI-J*
> > IPexpert VP - Curriculum Development
> > IPexpert Sr. Technical Instructor
> > smorris@ipexpert.com
> > http://www.ipexpert.com
> >
> >
> > ------------------------------
> > *From:* Ronnie Angello [mailto:ronnie.angello@gmail.com]
> > *Sent:* Tuesday, January 02, 2007 9:37 PM
> > *To:* swm@emanon.com
> > *Cc:* Chee Chew Leong; ccielab@groupstudy.com; JB; nobody@groupstudy.com
> > *Subject:* Re: switchport port-security aging time
> >
> >
> > That would make perfect sense but it only works for secure addresses
> that
> > have been statically configured (at least on the Cat 3550 and 3560).
> From
> > the Cat 3550 and 3560 config guides...
> >
> > The switch does not support port security aging of sticky secure MAC
> > addresses.
> >
> > While it probably wouldn't prevent support calls, you can achieve
> similar
> > functionality by manually clearing the sticky address before the new
> student
> > can get access to the network.
> >
> > Ronnie
> > On 1/2/07, Scott Morris <swm@emanon.com> wrote:
> > >
> > > Aging time applies specifically to dynamically learned ones. That
> way,
> > > say
> > > in a campus environment, you have one student leave and you don't have
> > > to
> > > wait three weeks before another one is allowed on. All of this is a
> > > balance
> > > of security and convenience (e.g. less support calls!).
> > >
> > > I haven't tested to see whether it applies to statically defined ones
> as
> > >
> > > well, but my guess would be no. Just like arp timers.
> > >
> > > HTH,
> > >
> > >
> > > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> > > JNCIE
> > > #153, CISSP, et al.
> > > CCSI/JNCI-M/JNCI-J
> > > IPexpert VP - Curriculum Development
> > > IPexpert Sr. Technical Instructor
> > > smorris@ipexpert.com
> > > http://www.ipexpert.com
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > Chee
> > > Chew Leong
> > > Sent: Tuesday, January 02, 2007 8:10 PM
> > > To: Scott Morris
> > > Cc: ccielab@groupstudy.com; 'JB'; nobody@groupstudy.com; 'Ronnie
> > > Angello'
> > > Subject: RE: switchport port-security aging time
> > >
> > > Just to add on, the time out only applicable to statically configure
> max
> > >
> > > address. It does not applicable to sticky learned.
> > >
> > > Am I write?
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > "Scott Morris" <swm@emanon.com>
> > > Sent by: nobody@groupstudy.com
> > > 12/30/2006 10:56 PM
> > > Please respond to
> > > "Scott Morris" <swm@emanon.com>
> > >
> > >
> > > To
> > > "'JB'" < jellyboy@gmail.com>, "'Ronnie Angello'" <
> > > ronnie.angello@gmail.com>
> > > cc
> > > <ccielab@groupstudy.com >
> > > Subject
> > > RE: switchport port-security aging time
> > >
> > >
> > >
> > >
> > >
> > >
> > > Well... The absolute time would be based on when the address is
> > > learned.
> > > The inactivity time would be based on when traffic was last received
> > > from
> > > that learned address.
> > >
> > > HTH,
> > >
> > >
> > > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> > > JNCIE
> > > #153, CISSP, et al.
> > > CCSI/JNCI-M/JNCI-J
> > > IPExpert VP - Curriculum Development
> > > IPExpert Sr. Technical Instructor
> > > smorris@ipexpert.com
> > > http://www.ipexpert.com
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > JB
> > > Sent: Saturday, December 30, 2006 4:15 AM
> > > To: Ronnie Angello
> > > Cc: ccielab@groupstudy.com
> > > Subject: Re: switchport port-security aging time
> > >
> > > Hi, Thanks for the reply. Would any event start this aging process or
> is
> > > it
> > > as soon as the mac address is learned? I see there are 2 options
> > > absolute
> > > <default> and inactivity.
> > >
> > > JB
> > >
> > > On 12/29/06, Ronnie Angello <ronnie.angello@gmail.com> wrote:
> > > > It would set the aging time for all secure addresses on the port.
> > > >
> > > >
> > > > On 12/29/06, JB <jellyboy@gmail.com> wrote:
> > > > >
> > > > > Hi All, I'm a bit stuck on this one- what the switchport
> > > > > port-security aging time command does exactly? I am thinking along
> > > > > the lines of it being used:
> > > > >
> > > > >
> > > > > interface FastEthernet0/7
> > > > > switchport access vlan 5
> > > > > switchport mode access
> > > > > switchport port-security
> > > > > switchport port-security maximum 2
> > > > > switchport port-security aging time 1
> > > > >
> > > > > This would allow 2 macs to be allowed on port 7. If one mac was
> > > > > deleted, then then another could be learned after an absolute time
> > > > > of
> > > > > 1 minute. Am I correct or got the functionality way off the mark?
> > > > >
> > > > > TIA,
> > > > >
> > > > > JB
> > > > >
> > > > >
> > > >
> ______________________________________________________________________
> > >
> > > > _
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:55 ART