From: Chee Chew Leong (cleong3@csc.com)
Date: Wed Jan 03 2007 - 06:29:56 ART
Thank you. Its cleared my misunderstanding now.
"Ronnie Angello" <ronnie.angello@gmail.com>
Sent by: nobody@groupstudy.com
01/03/2007 12:51 PM
Please respond to
"Ronnie Angello" <ronnie.angello@gmail.com>
To
Chee Chew Leong/ASIA/CSC@CSC
cc
ccielab@groupstudy.com, jellyboy@gmail.com, nobody@groupstudy.com,
swm@emanon.com
Subject
Re: switchport port-security aging time
Just the switchport port-security command alone will enable dynamic
learning
of secure MACs (a max of 1 by default).
If you add the sticky command, the switch will add the dynamically learned
secure MAC(s) to the configuration. That's what Scott was referring to
when
he mentioned that static (dynamic too for that matter) and sticky are two
different pieces.
CAT1(config)#int fa0/6
CAT1(config-if)#switch port
CAT1(config-if)#end
CAT1#sh port add
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
50 0012.00ac.d0e0 SecureDynamic Fa0/6 -
------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 5120
CAT1#
On 1/2/07, Chee Chew Leong <cleong3@csc.com> wrote:
>
>
> Ooops, getting confuse now.
>
> static defined = switchport port-security mac-address mac_addr
> sticky learned = switchport port-security mac-address sticky mac_addr
> secure dynamic = ???
>
> What is secure dynamic with respect to port-security?
>
> If you read the configuration guide, 3550 and 3560 has different
wording.
>
>
>
>
>
>
>
>
> *"Ronnie Angello" <ronnie.angello@gmail.com >*
> Sent by: nobody@groupstudy.com
>
> 01/03/2007 11:33 AM Please respond to
> "Ronnie Angello" < ronnie.angello@gmail.com>
>
> To
> swm@emanon.com cc
> Chee Chew Leong/ASIA/CSC@CSC, ccielab@groupstudy.com,
jellyboy@gmail.com,
> nobody@groupstudy.com
> Subject
> Re: switchport port-security aging time
>
>
>
>
>
> Thanks Scott. The wording of the Doc CD is accurate. My wording was a
> bit
> off! So to clarify the answer to the original question...
>
> No, the aging time is applicable to both static and dynamic secure
> addresses
> (SecureConfigured and SecureDynamic). Correct, it does not apply to
> sticky
> learned secure addresses (SecureSticky).
>
> Cool, now we are all experts on port security aging time!
>
>
>
>
> On 1/2/07, Scott Morris < swm@emanon.com> wrote:
> >
> > Sticky and static are different pieces.
> >
> > Static is something you pre-define into a table (and actually I did
this
>
> > and watched one age out, so it doens't work like arp's!).
> >
> > Sticky is when you want to commit the table into the saved
configuration
> > in case of a reboot, which (contrary to wording on DocCD) will work
for
> > static or dynamic learned MAC addresses.
> >
> > So, logically, if you commit something to the saved configuration,
aging
> > would have a difficult time applying there.
> >
> > In the case of normal usage (non-sticky) then aging time DOES apply to
> > both dynamic and static defined addresses.
> >
> > HTH,
> >
> >
> > Scott Morris, *CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE
> > #153**, CISSP, et al.*
> > *CCSI/JNCI-M/JNCI-J*
> > IPexpert VP - Curriculum Development
> > IPexpert Sr. Technical Instructor
> > smorris@ipexpert.com
> > http://www.ipexpert.com
> >
> >
> > ------------------------------
> > *From:* Ronnie Angello [mailto: ronnie.angello@gmail.com]
> > *Sent:* Tuesday, January 02, 2007 9:37 PM
> > *To:* swm@emanon.com
> > *Cc:* Chee Chew Leong; ccielab@groupstudy.com; JB;
nobody@groupstudy.com
> > *Subject:* Re: switchport port-security aging time
> >
> >
> > That would make perfect sense but it only works for secure addresses
> that
> > have been statically configured (at least on the Cat 3550 and 3560).
> From
> > the Cat 3550 and 3560 config guides...
> >
> > The switch does not support port security aging of sticky secure MAC
> > addresses.
> >
> > While it probably wouldn't prevent support calls, you can achieve
> similar
> > functionality by manually clearing the sticky address before the new
> student
> > can get access to the network.
> >
> > Ronnie
> > On 1/2/07, Scott Morris < swm@emanon.com> wrote:
> > >
> > > Aging time applies specifically to dynamically learned ones. That
> way,
> > > say
> > > in a campus environment, you have one student leave and you don't
have
>
> > > to
> > > wait three weeks before another one is allowed on. All of this is a
> > > balance
> > > of security and convenience (e.g. less support calls!).
> > >
> > > I haven't tested to see whether it applies to statically defined
ones
> as
> > >
> > > well, but my guess would be no. Just like arp timers.
> > >
> > > HTH,
> > >
> > >
> > > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> > > JNCIE
> > > #153, CISSP, et al.
> > > CCSI/JNCI-M/JNCI-J
> > > IPexpert VP - Curriculum Development
> > > IPexpert Sr. Technical Instructor
> > > smorris@ipexpert.com
> > > http://www.ipexpert.com
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On
Behalf
> Of
> > > Chee
> > > Chew Leong
> > > Sent: Tuesday, January 02, 2007 8:10 PM
> > > To: Scott Morris
> > > Cc: ccielab@groupstudy.com; 'JB'; nobody@groupstudy.com; 'Ronnie
> > > Angello'
> > > Subject: RE: switchport port-security aging time
> > >
> > > Just to add on, the time out only applicable to statically configure
> max
> > >
> > > address. It does not applicable to sticky learned.
> > >
> > > Am I write?
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > "Scott Morris" < swm@emanon.com>
> > > Sent by: nobody@groupstudy.com
> > > 12/30/2006 10:56 PM
> > > Please respond to
> > > "Scott Morris" <swm@emanon.com>
> > >
> > >
> > > To
> > > "'JB'" < jellyboy@gmail.com>, "'Ronnie Angello'" <
> > > ronnie.angello@gmail.com>
> > > cc
> > > <ccielab@groupstudy.com >
> > > Subject
> > > RE: switchport port-security aging time
> > >
> > >
> > >
> > >
> > >
> > >
> > > Well... The absolute time would be based on when the address is
> > > learned.
> > > The inactivity time would be based on when traffic was last received
> > > from
> > > that learned address.
> > >
> > > HTH,
> > >
> > >
> > > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> > > JNCIE
> > > #153, CISSP, et al.
> > > CCSI/JNCI-M/JNCI-J
> > > IPExpert VP - Curriculum Development
> > > IPExpert Sr. Technical Instructor
> > > smorris@ipexpert.com
> > > http://www.ipexpert.com
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On
Behalf
> Of
> > > JB
> > > Sent: Saturday, December 30, 2006 4:15 AM
> > > To: Ronnie Angello
> > > Cc: ccielab@groupstudy.com
> > > Subject: Re: switchport port-security aging time
> > >
> > > Hi, Thanks for the reply. Would any event start this aging process
or
> is
> > > it
> > > as soon as the mac address is learned? I see there are 2 options
> > > absolute
> > > <default> and inactivity.
> > >
> > > JB
> > >
> > > On 12/29/06, Ronnie Angello < ronnie.angello@gmail.com> wrote:
> > > > It would set the aging time for all secure addresses on the port.
> > > >
> > > >
> > > > On 12/29/06, JB < jellyboy@gmail.com> wrote:
> > > > >
> > > > > Hi All, I'm a bit stuck on this one- what the switchport
> > > > > port-security aging time command does exactly? I am thinking
along
>
> > > > > the lines of it being used:
> > > > >
> > > > >
> > > > > interface FastEthernet0/7
> > > > > switchport access vlan 5
> > > > > switchport mode access
> > > > > switchport port-security
> > > > > switchport port-security maximum 2
> > > > > switchport port-security aging time 1
> > > > >
> > > > > This would allow 2 macs to be allowed on port 7. If one mac was
> > > > > deleted, then then another could be learned after an absolute
time
> > > > > of
> > > > > 1 minute. Am I correct or got the functionality way off the
mark?
> > > > >
> > > > > TIA,
> > > > >
> > > > > JB
> > > > >
> > > > >
> > > >
> ______________________________________________________________________
> > >
> > > > _
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:55 ART