From: paulc@heanet.ie
Date: Wed Jan 02 2008 - 21:05:38 ARST
Thanks, that is good to know. Just tried it out and when the
SecureConfigured definitions expire due to a configured aging time, they
are then removed from the running configuration. As you said the sticky
definitions are unaffected by the aging time.
Paul.
> Also Paul, AFAIK there is one more difference. SecureConfigured addresses
> can be aged out using the command:
>
> switchport port-security aging static
>
> And as per CCO:
>
> "The switch does not support port security aging of sticky secure MAC
> addresses."
>
> This should include both types of Sticky addresses (Static Manually
> Configured or Dynamic).
>
> Regards
>
> Farrukh
>
> On Jan 2, 2008 8:44 PM, Paul Cosgrove <paul.cosgrove@heanet.ie> wrote:
>
>> Hi Scott,
>>
>> Addresses defined either way appear in the running config of my 3560
>> (12.2-25 SED1). Looks like the only difference may be that sticky
>> addresses can also be automatically learned:
>>
>> Switch1(config-if)#do sh run int fa0/8
>> Building configuration...
>>
>> Current configuration : 492 bytes
>> !
>> interface FastEthernet0/8
>> switchport access vlan 26
>> switchport trunk encapsulation dot1q
>> switchport mode access
>> switchport port-security maximum 4
>> switchport port-security
>> switchport port-security mac-address sticky
>> switchport port-security mac-address sticky 0000.abcd.abcd
>> switchport port-security mac-address 0015.2bc4.2f23
>> switchport port-security mac-address 0015.2bc4.2fde
>> switchport port-security mac-address sticky 0015.2bc4.abbb
>> end
>>
>> Switch1(config-if)#do sh port-security int fa0/8 addr
>> Secure Mac Address Table
>> ------------------------------------------------------------------------
>> Vlan Mac Address Type Ports Remaining Age
>> (mins)
>> ---- ----------- ---- ----- -------------
>> 26 0000.abcd.abcd SecureSticky Fa0/8 -
>> 26 0015.2bc4.2f23 SecureConfigured Fa0/8 -
>> 26 0015.2bc4.2fde SecureConfigured Fa0/8 -
>> 26 0015.2bc4.abbb SecureSticky Fa0/8 -
>> ------------------------------------------------------------------------
>> Total Addresses: 4
>>
>> Switch1(config-if)#
>>
>>
>> Regards,
>>
>> Paul.
>>
>>
>> Scott Morris wrote:
>> > The "switchport port-security mac-address" command only enters the MAC
>> in
>> > the RUNNING table (e.g. nothing in "show run"). if you want it to
>> survive
>> > reboot and show up in your config, you have to use sticky. Sticky
>> will
>> work
>> > for both static AND dynamic entries.
>> >
>> > Look at "show run" versus "show port-security". :)
>> >
>> > HTH,
>> >
>> >
>> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
>> JNCIE-M
>> > #153, JNCIS-ER, CISSP, et al.
>> > CCSI/JNCI-M/JNCI-ER
>> > VP - Technical Training - IPexpert, Inc.
>> > IPexpert Sr. Technical Instructor
>> >
>> > A Cisco Learning Partner - We Accept Learning Credits!
>> >
>> > smorris@ipexpert.com
>> >
>> >
>> >
>> > Telephone: +1.810.326.1444
>> > Fax: +1.810.454.0130
>> > http://www.ipexpert.com
>> >
>> >
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>> Of
>> Chan
>> > Hong
>> > Sent: Wednesday, January 02, 2008 11:03 AM
>> > To: Eric Phillips; ccielab@groupstudy.com
>> > Subject: Re!G Port-security mac-address vs. mac-address sticky?
>> >
>> > I saw something similar in IPExpert lab. Please someone explain or
>> post
>> some
>> > reference link, thanks.
>> >
>> >
>> > ----- 6l%s-l%s ----
>> > 1H%s$H!R Eric Phillips
>> > <eric@phillips.tc>
>> > &,%s$H ccielab@groupstudy.com
>> > 6G0e$i4A!R 2008 &~ 1$k 2 $i
>> > ,P4A$T $U$H 8:24:22
>> > %DCD!G Port-security mac-address vs. mac-address sticky?
>> > Hey all,
>> >
>> > I understand that with port-security the sticky command allows the
>> switch to
>> > dynamically learn MAC addresses and save them to the running config as
>> > "switchport port-security mac-address sticky 0000.000c.0001" as an
>> example.
>> > What I was curious though is in all the books and CBTs I have seen,
>> the
>> > author/instructor always manually enters MAC addresses using the
>> sticky
>> > command, not just "switchport port-security mac-address
>> 0000.000c.0001."
>> >
>> > If
>> > you are manually configuring the MAC addresses for port-security, is
>> there
>> > any difference between:
>> > switchport port-security mac-address 0000.000c.0001 and
>> > switchport port-security mac-address sticky 0000.000c.0001?
>> >
>> > In my testing I
>> > do not seem to see any difference, so I am curious if anyone knows of
>> a
>> > difference, or are they the same if you are manually configuring the
>> MAC
>> > addresses?
>> >
>> > Thanks,
>> >
>> > Eric
>> >
>> > --
>> > Eric M. Phillips
>> > Senior Network Consultant
>> >
>> > LTI Information Technology http://www.ltiit.com
>> > 501 Avis Drive
>> > Ann Arbor, MI 48108
>> >
>> > Phone: (734) 929-1400 Fax: (734)
>> > 929-1401
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > 9oYahoo! Mail
>> >
>> &3%t&s7N(#)N+XD3!A=P+e)9http://help.yahoo.com/fast/help/hkc/mail/cgi_feedbac
>> > k
>> > Ap58'Z-L
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>>
>>
>> --
>> Paul Cosgrove
>> HEAnet Limited, Ireland's Education and Research Network
>> 1st Floor, 5 George's Dock, IFSC, Dublin 1
>> Registered in Ireland, no 275301
>> tel: +353-1-660 9040 fax: +353-1-660 3666
>> web: http://www.heanet.ie/
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:57 ARST