Re: Clarification on the Secure Addresses

From: Godswill Oletu (oletu@inbox.lv)
Date: Thu Jun 12 2008 - 01:13:02 ART

• Next message: Dino Costantini: "Bidirectional PIM issue on Frame Relay"
• Previous message: Rik Guyler: "RE: Eigrp indirect injection of lo0"
• Maybe in reply to: Suryakant P: "Clarification on the Secure Addresses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Suryakant,

The two commands are not the same and they operate differently relative to
your saved configurations:

eg
If you type:
'switchport port-security mac-address 0000.0000.0002' and then do 'write mem'

That mac-address is saved in your configuration file and it will survive a
reboot.

With the sticky command, it is a little bit different....

If you type:
'switchport port-security mac-address sticky'

and before the switch ever learn any mac-address, you then type 'write mem'

Each time the switch boths up, it learns any mac-address it sees on that port,
if you reboot and attach a new device, it learns the mac-address of the new
device.

However, if the switch have already learnt a mac-address via the sticky
command and you type 'write mem' any time thereafter; that config will be save
and if you reboot the switch, it will come up with the old learned
mac-address, it will not be able to learn new mac addresses unless you
increase the number of addresses it can learn on that port from the default
one.

In a nutshell:
'switchport port-security mac-address 0000.0000.0002'; then 'write mem'
AND
'switchport port-security mac-address sticky'....then wait until it learns a
mac-address and then 'write mem'

Are essentially the same, their mac-addresses will survive a reboot.

But
'switchport port-security mac-address sticky' and making sure you never 'write
mem' when it has learnt a mac-address behave differently, as long as you did
not save the config post-mac address learning.

HTH

Godswill Oletu
CCIE #16464 (R&S)

  ----- Original Message -----
  From: Suryakant P
  To: Godswill Oletu
  Cc: ccie forum
  Sent: Tuesday, June 10, 2008 8:39 AM
  Subject: Re: Clarification on the Secure Addresses

  Hi Godswill,

  Thanks for the clarification.I was trying to simulate the information
conveyed in the statement made in univercd.

  Sticky secure MAC addressesThese can be dynamically learned or manually
configured, stored in the address table, and added to the running
configuration. If these addresses are saved in the configuration file, when
the switch restarts, the interface does not need to dynamically reconfigure
them.

  Do you feel ,the two scenarios mentioned by me exactly simulate the above
statement ?

  Thanks
  With regards
  Suryakant

  On 6/8/08, Godswill Oletu <oletu@inbox.lv> wrote:
    When you add the 'sticky' keyword, you are essentially leaving the control
to the Switch and asking the switch to secure the first mac-address it detects
on that port.

    There is no need to go further and append a mac-address to the sticky
command; once the switch registers a mac-address on that port, it is going to
create another command for you just like.....

    'switchport port-security mac-address sticky 0000.0000.0000'

    If this is a trunk port, and you increase the maximum secured
mac-addresses on that port from the default of 1 to n, the switch will address
all the ports that it discovered including their vlans to your configure:

    e.g. configure

    1
    int fa0/1
    switchport port-security
    switchport port-security maximum 3
    switchport port-security mac-address sticky
    !

    If all three mac-addresses come online and are detected by the switch, the
next time you do 'show run' you will see soomething like this in your config:
    !
    int fa0/1
    switchport port-security
    switchport port-security maximum 10
    switchport port-security mac-address sticky
    switchport port-security mac-address sticky 0000.0000.0000
    switchport port-security mac-address sticky 0000.0000.0000 vlan 1
    switchport port-security mac-address sticky 0000.0000.0000 vlan 2
    !

    You can see that, it is different from:

    switchport port-security mac-address 0000.0000.0002

    Because, here you want to manually control the secured mac address.

    HTH

    Godswill Oletu
    CCIE #16464 (R&S)

    ----- Original Message ----- From: "Suryakant P"
<suryakant.pandian@gmail.com>
    To: "ccie forum" <ccielab@groupstudy.com>
    Sent: Sunday, June 08, 2008 11:51 AM
    Subject: Clarification on the Secure Addresses

      Hi All,

      Is there any difference in what the following two commands acheive on a
      secure port or both are diffrerent approaches yielding same result.

      Switch(config-if)#* switchport port-security mac-address sticky*

      Switch(config-if)#* switchport port-security mac-address sticky
0000.0000.0002*

      *or*

      Switch(config-if)# *switchport port-security mac-address
0000.0000.0002*

      **

      In my understanding,both commands add the specified address to the
      mac-table and running configuration ?Am I right or missing something
      here?

      Thanks

      With regards

      Suryakant

      **

      _______________________________________________________________________
      Subscription information may be found at:
      http://www.groupstudy.com/list/CCIELab.html

• Next message: Dino Costantini: "Bidirectional PIM issue on Frame Relay"
• Previous message: Rik Guyler: "RE: Eigrp indirect injection of lo0"
• Maybe in reply to: Suryakant P: "Clarification on the Secure Addresses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART