Re: Re¡G Port-security mac-ad

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Wed Jan 02 2008 - 16:29:05 ARST

Also Paul, AFAIK there is one more difference. SecureConfigured addresses
can be aged out using the command:

switchport port-security aging static

And as per CCO:

"The switch does not support port security aging of sticky secure MAC
addresses."

This should include both types of Sticky addresses (Static Manually
Configured or Dynamic).

Regards

Farrukh

On Jan 2, 2008 8:44 PM, Paul Cosgrove <paul.cosgrove@heanet.ie> wrote:

> Hi Scott,
>
> Addresses defined either way appear in the running config of my 3560
> (12.2-25 SED1). Looks like the only difference may be that sticky
> addresses can also be automatically learned:
>
> Switch1(config-if)#do sh run int fa0/8
> Building configuration...
>
> Current configuration : 492 bytes
> !
> interface FastEthernet0/8
> switchport access vlan 26
> switchport trunk encapsulation dot1q
> switchport mode access
> switchport port-security maximum 4
> switchport port-security
> switchport port-security mac-address sticky
> switchport port-security mac-address sticky 0000.abcd.abcd
> switchport port-security mac-address 0015.2bc4.2f23
> switchport port-security mac-address 0015.2bc4.2fde
> switchport port-security mac-address sticky 0015.2bc4.abbb
> end
>
> Switch1(config-if)#do sh port-security int fa0/8 addr
> Secure Mac Address Table
> ------------------------------------------------------------------------
> Vlan Mac Address Type Ports Remaining Age
> (mins)
> ---- ----------- ---- ----- -------------
> 26 0000.abcd.abcd SecureSticky Fa0/8 -
> 26 0015.2bc4.2f23 SecureConfigured Fa0/8 -
> 26 0015.2bc4.2fde SecureConfigured Fa0/8 -
> 26 0015.2bc4.abbb SecureSticky Fa0/8 -
> ------------------------------------------------------------------------
> Total Addresses: 4
>
> Switch1(config-if)#
>
>
> Regards,
>
> Paul.
>
>
> Scott Morris wrote:
> > The "switchport port-security mac-address" command only enters the MAC
> in
> > the RUNNING table (e.g. nothing in "show run"). if you want it to
> survive
> > reboot and show up in your config, you have to use sticky. Sticky will
> work
> > for both static AND dynamic entries.
> >
> > Look at "show run" versus "show port-security". :)
> >
> > HTH,
> >
> >
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE-M
> > #153, JNCIS-ER, CISSP, et al.
> > CCSI/JNCI-M/JNCI-ER
> > VP - Technical Training - IPexpert, Inc.
> > IPexpert Sr. Technical Instructor
> >
> > A Cisco Learning Partner - We Accept Learning Credits!
> >
> > smorris@ipexpert.com
> >
> >
> >
> > Telephone: +1.810.326.1444
> > Fax: +1.810.454.0130
> > http://www.ipexpert.com
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Chan
> > Hong
> > Sent: Wednesday, January 02, 2008 11:03 AM
> > To: Eric Phillips; ccielab@groupstudy.com
> > Subject: Re!G Port-security mac-address vs. mac-address sticky?
> >
> > I saw something similar in IPExpert lab. Please someone explain or post
> some
> > reference link, thanks.
> >
> >
> > ----- 6l%s-l%s ----
> > 1H%s$H!R Eric Phillips
> > <eric@phillips.tc>
> > &,%s$H ccielab@groupstudy.com
> > 6G0e$i4A!R 2008 &~ 1$k 2 $i
> > ,P4A$T $U$H 8:24:22
> > %DCD!G Port-security mac-address vs. mac-address sticky?
> > Hey all,
> >
> > I understand that with port-security the sticky command allows the
> switch to
> > dynamically learn MAC addresses and save them to the running config as
> > "switchport port-security mac-address sticky 0000.000c.0001" as an
> example.
> > What I was curious though is in all the books and CBTs I have seen, the
> > author/instructor always manually enters MAC addresses using the sticky
> > command, not just "switchport port-security mac-address 0000.000c.0001."
> >
> > If
> > you are manually configuring the MAC addresses for port-security, is
> there
> > any difference between:
> > switchport port-security mac-address 0000.000c.0001 and
> > switchport port-security mac-address sticky 0000.000c.0001?
> >
> > In my testing I
> > do not seem to see any difference, so I am curious if anyone knows of a
> > difference, or are they the same if you are manually configuring the MAC
> > addresses?
> >
> > Thanks,
> >
> > Eric
> >
> > --
> > Eric M. Phillips
> > Senior Network Consultant
> >
> > LTI Information Technology http://www.ltiit.com
> > 501 Avis Drive
> > Ann Arbor, MI 48108
> >
> > Phone: (734) 929-1400 Fax: (734)
> > 929-1401
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > 9oYahoo! Mail
> >
> &3%t&s7N(#)N+XD3!A=P+e)9http://help.yahoo.com/fast/help/hkc/mail/cgi_feedbac
> > k
> > Ap58'Z-L
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
>
>
> --
> Paul Cosgrove
> HEAnet Limited, Ireland's Education and Research Network
> 1st Floor, 5 George's Dock, IFSC, Dublin 1
> Registered in Ireland, no 275301
> tel: +353-1-660 9040 fax: +353-1-660 3666
> web: http://www.heanet.ie/
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:57 ARST