RE: manual sticky mac address

Hi,

Thank you ! this is exactly what I was reffering to..but one last question,
with the scenario you gave can' t I use this configuration as well?
 switchport port-securty mac-address 0001.0002.0003
 switchport port-securty mac-address sticky
 switchport port-securty mac-address
 port-securty maximum 2

> Date: Fri, 25 Sep 2009 13:18:28 +0200
> Subject: Re: manual sticky mac address
> From: piotr_at_ccie1.com
> To: a_sadki1_at_hotmail.com
> CC: ccielab_at_groupstudy.com
>
> Hi Abderrahim,
>
> First, I suppose you're still thinking about Port Security and command
> "port-security mac-address sticky <MAC>". Just to be on the same page.
>
> If so, you have the following options:
>
> 1. Issue command "port-security mac-address sticky" and hit enter -
> this will dynamically add all MAC addresses which will appear on the
> interface to the running configuration, so you don't need to configure
> them manually.
>
> 2. Issue command "port-security mac-address sticky <MAC>" and hit
> enter - this will add the specified MAC address to your running
> configuration, so you don't need to wait for any MAC to appear on the
> interface.
>
> 3. Issue command "port-security mac-address <MAC>" - this is to add
> MAC address manually to the configuration.
>
> 4. The switch can learn MAC addresses dynamically - normal operation
> without port security.
>
> The main difference between those three commands is the learning
> method. If you want to do everything manually you use "port-security
> mac-address". If dynamically, you use "sticky" option.
>
> Real life example: you want to configure port security for a port
> where usually one workstation is connected to (MAC 0001.0002.00003)
> and occasionally someone connects there with a laptop (and you don't
> know what is the MAC address of it).
>
> switchport port-securty mac-address sticky 0001.0002.0003
> switchport port-securty mac-address sticky
> switchport port-securty mac-address
> switchport port-securty maximum 2
>
> This will allow instant access for user's workstation and will allow
> one "different" MAC address to be connect to the port.
>
> Note that it is not possible to be done using simple "port-security
> mac-address <MAC>" as you don't know what the second MAC will be.
>
> HTH,
>
> --
> Piotr Matusiak
> CCIE #19860 (R&S, SEC)
>
> 2009/9/25 abderrahim sadki <a_sadki1_at_hotmail.com>:
> > what I dont understand is this:
> > manual addresses are in the configuration so even after restart they will
be
> > secured. so why would I wanna make them sticky as well.
> >
> > Abderrahim
> >
> > Date: Fri, 25 Sep 2009 12:11:20 +0200
> > Subject: Re: manual sticky mac address
> > From: rmur_at_ipexpert.com
> > To: jastorino_at_ipexpert.com
> > CC: iwan_at_ipexpert.com; a_sadki1_at_hotmail.com; ccielab_at_groupstudy.com
> >
> > I assume you refer to the sticky feature with Port Security.The
difference
> > with dynamic MAC learning and the sticky configuration is that sticky
> > automa(t)(g)ically adds the MAC address to the running configuration.
Please
> > notice that Running part, as it's not automatically added to the startup
> > config, so you manually have to do a copy run start or write to save it.
> >
> > The dynamically learned MAC addresses are always lost after a reboot so
the
> > first PC to connect to that port again has access. With the sticky feature
you
> > have much more control about which PC may be connected to that port and
that
> > information is saved after a reboot and it makes troubleshooting a lot
easier
> > as you can search through your config, instead of using all kinds of show
> > commands, but you still need to issue that Write every time to be sure
the
> > sticky addresses are saved after a reboot of course.
> >
> > --
> >
> > Regards,
> >
> > Rick Mur
> > CCIE2 #21946 (R&S / Service Provider)
> > Sr. Support Engineer IPexpert, Inc.
> > URL: http://www.IPexpert.com
> >
> >
> >
> >
> > On Fri, Sep 25, 2009 at 11:37 AM, Joe Astorino <jastorino_at_ipexpert.com>
> > wrote:
> >
> > The interesting thing is that at least on my 3560 here when you do
> >
> > "switchport port-security mac-address sticky" it automagically adds a
line
> >
> > for "switchport port-security mac-address sticky <LEARNED-MAC>"
> >
> >
> >
> > On Fri, Sep 25, 2009 at 5:23 AM, Iwan Hoogendoorn <iwan_at_ipexpert.com>
wrote:
> >
> >
> >
> >> It means that they are hard defined in the configuration ...
> >
> >> See it like DHCP and statically assign an IP address based on the MAC
> >
> >> -address...
> >
> >>
> >
> >> --
> >
> >> Regards,
> >
> >>
> >
> >> Iwan Hoogendoorn
> >
> >> CCIE #13084 (R&S / Security / SP)
> >
> >> Sr. Support Engineer IPexpert, Inc.
> >
> >> URL: http://www.IPexpert.com
> >
> >>
> >
> >> On Fri, Sep 25, 2009 at 9:39 AM, abderrahim sadki <a_sadki1_at_hotmail.com>
> >
> >> wrote:
> >
> >> > Hi,
> >
> >> >
> >
> >> > Id like to know what is the point of having sticky manually entered
mac
> >
> >> > addresses as they are part of the configuration anyway.
> >
> >> >
> >
> >> > Thanks,
> >
> >> > Abderrahim
> >
> >> >
> >
> >> > _________________________________________________________________
> >
> >> > Show them the way! Add maps and directions to your party invites.
> >
> >> > http://www.microsoft.com/windows/windowslive/products/events.aspx
> >
> >> >
> >
> >> >
> >
> >> > Blogs and organic groups at http://www.ccie.net
> >
> >> >
> >
> >> >
Received on Fri Sep 25 2009 - 13:26:45 ART