Security mac-address port in Switch CE 500

Answered Question
Sep 4th, 2008

Dear All Expert,

Could you help me please!!!

I had Cisco Switch CE500 and i would like to do enable port Security on this switch .....and some command i not clear and would like to ask you as bellow:

1-what is different between static mac-address and sticky?

2-Please see command as bellow:

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

switchport port-security mac-address sticky

switchport port-security mac-address sticky 001b.38a1.0c38

i worry when i use this command sticky when i reboot switch it release automatic,i want to use this mac-address for log time...

how can we know when it release this mac-address?

3-on CE500 i want to use static mac-address but it not allow?

Best Regards,

Rechard_hk

Correct Answer by satish_zanjurne about 8 years 5 months ago

Also sticky secure mac addresses will not age..infact switch does not support it..

So aging is for dynamically learned & statically configured mac addresses only..

For static entries you need to add "static" keyword as follows

"switchport port-security aging static"

HTH..rate if helpful..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
satish_zanjurne Thu, 09/04/2008 - 21:48

Hi,

•Static secure MAC addresses-These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.

•Dynamic secure MAC addresses-These are dynamically configured, stored only in the address table, and removed when the switch restarts.

•Sticky secure MAC addresses-These are dynamically configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.

To configure static mac-address use command "switchport port-security mac-address"

And if you have configure the sticky & saved, it should remain in it..

HTH..rate if helpful..

rechard_hk Fri, 09/05/2008 - 00:58

Dear satish,

i would like to confirm you that the command Sticky secure MAC address mean it store in address-table and when we saved the configuration( mean that when the switch restart all the mac-address not loss right?)

Bye the way could you explain me command as below:

1-switchport port-security aging time 2

2-switchport port-security violation restrict

3-switchport port-security aging type inactivity

this command i'm not clear ?

could you explain me...?

Best Regards,

satish_zanjurne Fri, 09/05/2008 - 01:42

Port Security violation happens when one of these situations occurs:

• The maximum number of secure MAC addresses have been added to the address table, and a station

whose MAC address is not in the address table attempts to access the interface.

• An address learned or configured on one secure interface is seen on another secure interface in the

same VLAN.

You can configure the interface for one of three violation modes, based on the action to be taken if a

violation occurs:

• protect-when the number of secure MAC addresses reaches the maximum limit allowed on the

port, packets with unknown source addresses are dropped until you remove a sufficient number of

secure MAC addresses to drop below the maximum value or increase the number of maximum

allowable addresses. You are not notified that a security violation has occurred.

• restrict-when the number of secure MAC addresses reaches the maximum limit allowed on the

port, packets with unknown source addresses are dropped until you remove a sufficient number of

secure MAC addresses to drop below the maximum value or increase the number of maximum

allowable addresses.

• shutdown-a port security violation causes the interface to become error-disabled and to shut down

immediately, and the port LED turns off

You can use port security aging to set the aging time for all secure addresses on a port. Two types of

aging are supported per port:

• Absolute-The secure addresses on the port are deleted after the specified aging time in minutes.

• Inactivity-The secure addresses on the port are deleted only if the secure addresses are inactive for

the specified aging time in minutes.

So in your case if there is no activity on your port for 2 minutes , all secure mac addresses on this port will be deleted.

HTH..rate if helful..

Correct Answer
satish_zanjurne Fri, 09/05/2008 - 01:47

Also sticky secure mac addresses will not age..infact switch does not support it..

So aging is for dynamically learned & statically configured mac addresses only..

For static entries you need to add "static" keyword as follows

"switchport port-security aging static"

HTH..rate if helpful..

rechard_hk Sun, 09/07/2008 - 17:47

Dear Satish,

Thanks you for your time and fully support...

:)

Best Regards,

Rechard_hk

Actions

This Discussion