Re: manual sticky mac address

Well... with option #1 there you are hard coding it. When you wr mem and
reload your switch doesn't have to re-learn the MAC address to secure. With
option #2 it does have to relearn things.

On Fri, Sep 25, 2009 at 10:11 AM, Piotr Matusiak <piotr_at_ccie1.com> wrote:

> In this case there is no difference between "switchport port-securty
> mac-address <MAC>" and "switchport port-securty mac-address sticky
> <MAC>" IMO.
>
> I don't have a switch in front of me now, but as far as I remember
> after enabling sticky all dynamically learned MAC addresses will be
> converted to sticky secure and added to the running configuration.
>
> It can be a matter of commands order, as you cannot enter sticky MAC
> address without entering "port-security mac-address sticky" command
> first.
>
> --
> Piotr Matusiak
> CCIE #19860 (R&S, SEC)
>
>
> 2009/9/25 abderrahim sadki <a_sadki1_at_hotmail.com>:
> > Hi,
> >
> > Thank you ! this is exactly what I was reffering to..but one last
> question,
> > with the scenario you gave can' t I use this configuration as well?
> > switchport port-securty mac-address 0001.0002.0003
> > switchport port-securty mac-address sticky
> > switchport port-securty mac-address
> > port-securty maximum 2
> >
> >
> >> Date: Fri, 25 Sep 2009 13:18:28 +0200
> >> Subject: Re: manual sticky mac address
> >> From: piotr_at_ccie1.com
> >> To: a_sadki1_at_hotmail.com
> >> CC: ccielab_at_groupstudy.com
> >>
> >> Hi Abderrahim,
> >>
> >> First, I suppose you're still thinking about Port Security and command
> >> "port-security mac-address sticky <MAC>". Just to be on the same page.
> >>
> >> If so, you have the following options:
> >>
> >> 1. Issue command "port-security mac-address sticky" and hit enter -
> >> this will dynamically add all MAC addresses which will appear on the
> >> interface to the running configuration, so you don't need to configure
> >> them manually.
> >>
> >> 2. Issue command "port-security mac-address sticky <MAC>" and hit
> >> enter - this will add the specified MAC address to your running
> >> configuration, so you don't need to wait for any MAC to appear on the
> >> interface.
> >>
> >> 3. Issue command "port-security mac-address <MAC>" - this is to add
> >> MAC address manually to the configuration.
> >>
> >> 4. The switch can learn MAC addresses dynamically - normal operation
> >> without port security.
> >>
> >> The main difference between those three commands is the learning
> >> method. If you want to do everything manually you use "port-security
> >> mac-address". If dynamically, you use "sticky" option.
> >>
> >> Real life example: you want to configure port security for a port
> >> where usually one workstation is connected to (MAC 0001.0002.00003)
> >> and occasionally someone connects there with a laptop (and you don't
> >> know what is the MAC address of it).
> >>
> >> switchport port-securty mac-address sticky 0001.0002.0003
> >> switchport port-securty mac-address sticky
> >> switchport port-securty mac-address
> >> switchport port-securty maximum 2
> >>
> >> This will allow instant access for user's workstation and will allow
> >> one "different" MAC address to be connect to the port.
> >>
> >> Note that it is not possible to be done using simple "port-security
> >> mac-address <MAC>" as you don't know what the second MAC will be.
> >>
> >> HTH,
> >>
> >> --
> >> Piotr Matusiak
> >> CCIE #19860 (R&S, SEC)
> >>
> >> 2009/9/25 abderrahim sadki <a_sadki1_at_hotmail.com>:
> >> > what I dont understand is this:
> >> > manual addresses are in the configuration so even after restart they
> will
> > be
> >> > secured. so why would I wanna make them sticky as well.
> >> >
> >> > Abderrahim
> >> >
> >> > Date: Fri, 25 Sep 2009 12:11:20 +0200
> >> > Subject: Re: manual sticky mac address
> >> > From: rmur_at_ipexpert.com
> >> > To: jastorino_at_ipexpert.com
> >> > CC: iwan_at_ipexpert.com; a_sadki1_at_hotmail.com; ccielab_at_groupstudy.com
> >> >
> >> > I assume you refer to the sticky feature with Port Security.The
> > difference
> >> > with dynamic MAC learning and the sticky configuration is that sticky
> >> > automa(t)(g)ically adds the MAC address to the running configuration.
> > Please
> >> > notice that Running part, as it's not automatically added to the
> startup
> >> > config, so you manually have to do a copy run start or write to save
> it.
> >> >
> >> > The dynamically learned MAC addresses are always lost after a reboot
> so
> > the
> >> > first PC to connect to that port again has access. With the sticky
> feature
> > you
> >> > have much more control about which PC may be connected to that port
> and
> > that
> >> > information is saved after a reboot and it makes troubleshooting a lot
> > easier
> >> > as you can search through your config, instead of using all kinds of
> show
> >> > commands, but you still need to issue that Write every time to be sure
> > the
> >> > sticky addresses are saved after a reboot of course.
> >> >
> >> > --
> >> >
> >> > Regards,
> >> >
> >> > Rick Mur
> >> > CCIE2 #21946 (R&S / Service Provider)
> >> > Sr. Support Engineer IPexpert, Inc.
> >> > URL: http://www.IPexpert.com
> >> >
> >> >
> >> >
> >> >
> >> > On Fri, Sep 25, 2009 at 11:37 AM, Joe Astorino <
> jastorino_at_ipexpert.com>
> >> > wrote:
> >> >
> >> > The interesting thing is that at least on my 3560 here when you do
> >> >
> >> > "switchport port-security mac-address sticky" it automagically adds a
> > line
> >> >
> >> > for "switchport port-security mac-address sticky <LEARNED-MAC>"
> >> >
> >> >
> >> >
> >> > On Fri, Sep 25, 2009 at 5:23 AM, Iwan Hoogendoorn <iwan_at_ipexpert.com>
> > wrote:
> >> >
> >> >
> >> >
> >> >> It means that they are hard defined in the configuration ...
> >> >
> >> >> See it like DHCP and statically assign an IP address based on the MAC
> >> >
> >> >> -address...
> >> >
> >> >>
> >> >
> >> >> --
> >> >
> >> >> Regards,
> >> >
> >> >>
> >> >
> >> >> Iwan Hoogendoorn
> >> >
> >> >> CCIE #13084 (R&S / Security / SP)
> >> >
> >> >> Sr. Support Engineer IPexpert, Inc.
> >> >
> >> >> URL: http://www.IPexpert.com
> >> >
> >> >>
> >> >
> >> >> On Fri, Sep 25, 2009 at 9:39 AM, abderrahim sadki <
> a_sadki1_at_hotmail.com>
> >> >
> >> >> wrote:
> >> >
> >> >> > Hi,
> >> >
> >> >> >
> >> >
> >> >> > Id like to know what is the point of having sticky manually entered
> > mac
> >> >
> >> >> > addresses as they are part of the configuration anyway.
> >> >
> >> >> >
> >> >
> >> >> > Thanks,
> >> >
> >> >> > Abderrahim
> >> >
> >> >> >
> >> >
> >> >> > _________________________________________________________________
> >> >
> >> >> > Show them the way! Add maps and directions to your party invites.
> >> >
> >> >> > http://www.microsoft.com/windows/windowslive/products/events.aspx
> >> >
> >> >> >
> >> >
> >> >> >
> >> >
> >> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >> >
> >> >
> >> >> >
> > _______________________________________________________________________
> >> >
> >> >> > Subscription information may be found at:
> >> >
> >> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >>
> >> >
> >> >>
> >> >
> >> >> Blogs and organic groups at http://www.ccie.net
> >> >
> >> >>
> >> >
> >> >>
> _______________________________________________________________________
> >> >
> >> >> Subscription information may be found at:
> >> >
> >> >> http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >>
> >> >
> >> >>
> >> >
> >> >>
> >> >
> >> >>
> >> >
> >> >>
> >> >
> >> >>
> >> >
> >> >>
> >> >
> >> >>
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> >
> >> > Regards,
> >> >
> >> >
> >> >
> >> > Joe Astorino - CCIE #24347 R&S
> >> >
> >> > Technical Instructor - IPexpert, Inc.
> >> >
> >> > Cell: +1.586.212.6107
> >> >
> >> > Fax: +1.810.454.0130
> >> >
> >> > Mailto: jastorino_at_ipexpert.com
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> >> >
> >> >
> _______________________________________________________________________
> >> >
> >> > Subscription information may be found at:
> >> >
> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > _________________________________________________________________
> >> > Windows Live : Keep your life in sync. Check it out!
> >> >
> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> > _________________________________________________________________
> > Drag n drop Get easy photo sharing with Windows Live Photos.
> >
> > http://www.microsoft.com/windows/windowslive/products/photos.aspx
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Regards,
Joe Astorino - CCIE #24347 R&S
Technical Instructor - IPexpert, Inc.
Cell: +1.586.212.6107
Fax: +1.810.454.0130
Mailto:  jastorino_at_ipexpert.com
Blogs and organic groups at http://www.ccie.net