From: Eric Phillips (eric@phillips.tc)
Date: Wed Jan 02 2008 - 20:56:00 ARST
Hey all,
Thanks for chiming in on this. I originally thought the same as what Scott
said, I thought maybe the non sticky addresses would go away after I
rebooted, but on an old 2950 switch they did not. So that was why I was so
confused.
-Eric
On 1/2/08, paulc@heanet.ie <paulc@heanet.ie> wrote:
>
> Must be that the behaviour has changed as the static definitions still
> appear in the show run using 12.2(25)SED1 without using 'sticky':
>
>
> Switch1(config)#default interface fa0/8
> Interface FastEthernet0/8 set to default configuration
> Switch1(config)#int fa0/8
> Switch1(config-if)#swi mode acc
> Switch1(config-if)#swi acc vlan 26
> Switch1(config-if)#swi port-sec max 4
> Switch1(config-if)#swi port-security mac-address 0000.aaaa.aaaa
> Switch1(config-if)#swi port-security mac-address 0000.bbbb.bbbb
> Switch1(config-if)#swi port-security
> Switch1(config-if)#do sh run int fa0/8
> Building configuration...
>
> Current configuration : 252 bytes
> !
> interface FastEthernet0/8
> switchport access vlan 26
> switchport mode access
> switchport port-security maximum 4
> switchport port-security
> switchport port-security mac-address 0000.aaaa.aaaa
> switchport port-security mac-address 0000.bbbb.bbbb
> end
>
>
> Paul.
>
>
> > Right, but if you start out WITHOUT the sticky command, they will not
> > appear
> > in "sh run".
> >
> > HTH,
> >
> >
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> > JNCIE-M
> > #153, JNCIS-ER, CISSP, et al.
> > CCSI/JNCI-M/JNCI-ER
> > VP - Technical Training - IPexpert, Inc.
> > IPexpert Sr. Technical Instructor
> >
> > A Cisco Learning Partner - We Accept Learning Credits!
> >
> > smorris@ipexpert.com
> >
> >
> >
> > Telephone: +1.810.326.1444
> > Fax: +1.810.454.0130
> > http://www.ipexpert.com
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Paul Cosgrove [mailto:paul.cosgrove@heanet.ie]
> > Sent: Wednesday, January 02, 2008 12:44 PM
> > To: Scott Morris
> > Cc: 'Chan Hong'; 'Eric Phillips'; ccielab@groupstudy.com
> > Subject: Re: Re!G Port-security mac-address vs. mac-address sticky?
> >
> > Hi Scott,
> >
> > Addresses defined either way appear in the running config of my 3560
> > (12.2-25 SED1). Looks like the only difference may be that sticky
> > addresses
> > can also be automatically learned:
> >
> > Switch1(config-if)#do sh run int fa0/8
> > Building configuration...
> >
> > Current configuration : 492 bytes
> > !
> > interface FastEthernet0/8
> > switchport access vlan 26
> > switchport trunk encapsulation dot1q
> > switchport mode access
> > switchport port-security maximum 4
> > switchport port-security
> > switchport port-security mac-address sticky switchport port-security
> > mac-address sticky 0000.abcd.abcd switchport port-security mac-address
> > 0015.2bc4.2f23 switchport port-security mac-address 0015.2bc4.2fde
> > switchport port-security mac-address sticky 0015.2bc4.abbb end
> >
> > Switch1(config-if)#do sh port-security int fa0/8 addr
> > Secure Mac Address Table
> > ------------------------------------------------------------------------
> > Vlan Mac Address Type Ports Remaining Age
> > (mins)
> > ---- ----------- ---- ----- -------------
> > 26 0000.abcd.abcd SecureSticky Fa0/8 -
> > 26 0015.2bc4.2f23 SecureConfigured Fa0/8 -
> > 26 0015.2bc4.2fde SecureConfigured Fa0/8 -
> > 26 0015.2bc4.abbb SecureSticky Fa0/8 -
> > ------------------------------------------------------------------------
> > Total Addresses: 4
> >
> > Switch1(config-if)#
> >
> >
> > Regards,
> >
> > Paul.
> >
> >
> > Scott Morris wrote:
> >> The "switchport port-security mac-address" command only enters the MAC
> >> in the RUNNING table (e.g. nothing in "show run"). if you want it to
> >> survive reboot and show up in your config, you have to use sticky.
> >> Sticky will work for both static AND dynamic entries.
> >>
> >> Look at "show run" versus "show port-security". :)
> >>
> >> HTH,
> >>
> >>
> >> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> >> JNCIE-M #153, JNCIS-ER, CISSP, et al.
> >> CCSI/JNCI-M/JNCI-ER
> >> VP - Technical Training - IPexpert, Inc.
> >> IPexpert Sr. Technical Instructor
> >>
> >> A Cisco Learning Partner - We Accept Learning Credits!
> >>
> >> smorris@ipexpert.com
> >>
> >>
> >>
> >> Telephone: +1.810.326.1444
> >> Fax: +1.810.454.0130
> >> http://www.ipexpert.com
> >>
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> >> Of Chan Hong
> >> Sent: Wednesday, January 02, 2008 11:03 AM
> >> To: Eric Phillips; ccielab@groupstudy.com
> >> Subject: Re!G Port-security mac-address vs. mac-address sticky?
> >>
> >> I saw something similar in IPExpert lab. Please someone explain or
> >> post some reference link, thanks.
> >>
> >>
> >> ----- 6l%s-l%s ----
> >> 1H%s$H!R Eric Phillips
> >> <eric@phillips.tc>
> >> &,%s$H ccielab@groupstudy.com
> >> 6G0e$i4A!R 2008 &~ 1$k 2 $i
> >> ,P4A$T $U$H 8:24:22
> >> %DCD!G Port-security mac-address vs. mac-address sticky?
> >> Hey all,
> >>
> >> I understand that with port-security the sticky command allows the
> >> switch to dynamically learn MAC addresses and save them to the running
> >> config as "switchport port-security mac-address sticky 0000.000c.0001"
> >> as
> > an example.
> >> What I was curious though is in all the books and CBTs I have seen,
> >> the author/instructor always manually enters MAC addresses using the
> >> sticky command, not just "switchport port-security mac-address
> > 0000.000c.0001."
> >>
> >> If
> >> you are manually configuring the MAC addresses for port-security, is
> >> there any difference between:
> >> switchport port-security mac-address 0000.000c.0001 and
> >> switchport port-security mac-address sticky 0000.000c.0001?
> >>
> >> In my testing I
> >> do not seem to see any difference, so I am curious if anyone knows of
> >> a difference, or are they the same if you are manually configuring the
> >> MAC addresses?
> >>
> >> Thanks,
> >>
> >> Eric
> >>
> >> --
> >> Eric M. Phillips
> >> Senior Network Consultant
> >>
> >> LTI Information Technology http://www.ltiit.com
> >> 501 Avis Drive
> >> Ann Arbor, MI 48108
> >>
> >> Phone: (734) 929-1400 Fax: (734)
> >> 929-1401
> >> ______________________________________________________________________
> >> _ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> 9oYahoo! Mail
> >> &3%t&s7N(#)N+XD3!A=P+e)9http://help.yahoo.com/fast/help/hkc/mail/cgi_f
> >> eedbac
> >> k
> >> Ap58'Z-L
> >>
> >> ______________________________________________________________________
> >> _ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >> ______________________________________________________________________
> >> _ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >
> >
> > --
> > Paul Cosgrove
> > HEAnet Limited, Ireland's Education and Research Network 1st Floor, 5
> > George's Dock, IFSC, Dublin 1 Registered in Ireland, no 275301
> > tel: +353-1-660 9040 fax: +353-1-660 3666
> > web: http://www.heanet.ie/
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
>
>
>
-- Eric M. Phillips Senior Network ConsultantLTI Information Technology http://www.ltiit.com 501 Avis Drive Ann Arbor, MI 48108
Phone: (734) 929-1400 Fax: (734) 929-1401
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:57 ARST