Re: manual sticky mac address

Hi Abderrahim,

First, I suppose you're still thinking about Port Security and command
"port-security mac-address sticky <MAC>". Just to be on the same page.

If so, you have the following options:

1. Issue command "port-security mac-address sticky" and hit enter -
this will dynamically add all MAC addresses which will appear on the
interface to the running configuration, so you don't need to configure
them manually.

2. Issue command "port-security mac-address sticky <MAC>" and hit
enter - this will add the specified MAC address to your running
configuration, so you don't need to wait for any MAC to appear on the
interface.

3. Issue command "port-security mac-address <MAC>" - this is to add
MAC address manually to the configuration.

4. The switch can learn MAC addresses dynamically - normal operation
without port security.

The main difference between those three commands is the learning
method. If you want to do everything manually you use "port-security
mac-address". If dynamically, you use "sticky" option.

Real life example: you want to configure port security for a port
where usually one workstation is connected to (MAC 0001.0002.00003)
and occasionally someone connects there with a laptop (and you don't
know what is the MAC address of it).

switchport port-securty mac-address sticky 0001.0002.0003
switchport port-securty mac-address sticky
switchport port-securty mac-address
switchport port-securty maximum 2

This will allow instant access for user's workstation and will allow
one "different" MAC address to be connect to the port.

Note that it is not possible to be done using simple "port-security
mac-address <MAC>" as you don't know what the second MAC will be.

HTH,

-- 
Piotr Matusiak
CCIE #19860 (R&S, SEC)
2009/9/25 abderrahim sadki <a_sadki1_at_hotmail.com>:
> what I dont understand is this:
> manual addresses are in the configuration so even after restart they will be
> secured.  so why would I wanna make them sticky as well.
>
> Abderrahim
>
> Date: Fri, 25 Sep 2009 12:11:20 +0200
> Subject: Re: manual sticky mac address
> From: rmur_at_ipexpert.com
> To: jastorino_at_ipexpert.com
> CC: iwan_at_ipexpert.com; a_sadki1_at_hotmail.com; ccielab_at_groupstudy.com
>
> I assume you refer to the sticky feature with Port Security.The difference
> with dynamic MAC learning and the sticky configuration is that sticky
> automa(t)(g)ically adds the MAC address to the running configuration. Please
> notice that Running part, as it's not automatically added to the startup
> config, so you manually have to do a copy run start or write to save it.
>
> The dynamically learned MAC addresses are always lost after a reboot so the
> first PC to connect to that port again has access. With the sticky feature you
> have much more control about which PC may be connected to that port and that
> information is saved after a reboot and it makes troubleshooting a lot easier
> as you can search through your config, instead of using all kinds of show
> commands, but you still need to issue that Write every time to be sure the
> sticky addresses are saved after a reboot of course.
>
> --
>
> Regards,
>
> Rick Mur
> CCIE2 #21946 (R&S / Service Provider)
> Sr. Support Engineer   IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
>
>
> On Fri, Sep 25, 2009 at 11:37 AM, Joe Astorino <jastorino_at_ipexpert.com>
> wrote:
>
> The interesting thing is that at least on my 3560 here when you do
>
> "switchport port-security mac-address sticky" it automagically adds a line
>
> for "switchport port-security mac-address sticky <LEARNED-MAC>"
>
>
>
> On Fri, Sep 25, 2009 at 5:23 AM, Iwan Hoogendoorn <iwan_at_ipexpert.com> wrote:
>
>
>
>> It means that they are hard defined in the configuration ...
>
>> See it like DHCP and statically assign an IP address based on the MAC
>
>> -address...
>
>>
>
>> --
>
>> Regards,
>
>>
>
>> Iwan Hoogendoorn
>
>> CCIE #13084 (R&S / Security / SP)
>
>> Sr. Support Engineer   IPexpert, Inc.
>
>> URL: http://www.IPexpert.com
>
>>
>
>> On Fri, Sep 25, 2009 at 9:39 AM, abderrahim sadki <a_sadki1_at_hotmail.com>
>
>> wrote:
>
>> > Hi,
>
>> >
>
>> > Id like to know what is the point of having sticky manually entered mac
>
>> > addresses as they are part of the configuration anyway.
>
>> >
>
>> > Thanks,
>
>> > Abderrahim
>
>> >
>
>> > _________________________________________________________________
>
>> > Show them the way! Add maps and directions to your party invites.
>
>> > http://www.microsoft.com/windows/windowslive/products/events.aspx
>
>> >
>
>> >
>
>> > Blogs and organic groups at http://www.ccie.net
>
>> >
>
>> > _______________________________________________________________________
>
>> > Subscription information may be found at:
>
>> > http://www.groupstudy.com/list/CCIELab.html
>
>>
>
>>
>
>> Blogs and organic groups at http://www.ccie.net
>
>>
>
>> _______________________________________________________________________
>
>> Subscription information may be found at:
>
>> http://www.groupstudy.com/list/CCIELab.html
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>
>
>
>
> --
>
> Regards,
>
>
>
> Joe Astorino - CCIE #24347 R&S
>
> Technical Instructor - IPexpert, Inc.
>
> Cell: +1.586.212.6107
>
> Fax: +1.810.454.0130
>
> Mailto:  jastorino_at_ipexpert.com
>
>
>
>
>
> Blogs and organic groups at http://www.ccie.net
>
>
>
> _______________________________________________________________________
>
> Subscription information may be found at:
>
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _________________________________________________________________
> Windows Live : Keep your life in sync. Check it out!
> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net