Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
5
Replies

Age time in port security

ece344609_2
Level 1
Level 1

‎10-22-2008 06:09 AM - edited ‎03-06-2019 02:04 AM

How exactly does age time work in port security? Currently I don't have age time set for port security and I was under the impression that this means that age time is disabled which meant the secure address is active on the port forever.

Recently though I have been noticing that even when port security is set and when a computer is unplugged there is no entry in the Secure-src-addr and consequently the port does not shutdown when a different computer or device is plugged in.

The port security config is set to dynamic, violation shutdown for 5 minutes with age time not set. Anyone know what's going on?

Thanks.

Labels:
0 Helpful
5 Replies 5

adhityakarthik
Level 1
Level 1

‎10-22-2008 06:27 AM

Hi

Could you please post me the config

Regds

Adhi

0 Helpful

ece344609_2
Level 1
Level 1
In response to adhityakarthik

‎10-22-2008 07:10 AM

Here is the config of the port security on the affected port:

* = Configured MAC Address

Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex

----- -------- --------- ------------- -------- -------- -------- -------

2/1 enabled shutdown 5 0 1 disabled 9

Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left

----- -------- ----------------- -------- ----------------- ------------------

2/1 0 - - 00-0b-db-6f-82-d4 no -

0 Helpful

John Blakley
VIP Alumni
VIP Alumni

‎10-22-2008 07:14 AM

If port security is set to dynamic, then it's adding the learned addresses to the port. It won't shut the port down unless you have a max-address set. These addresses (unless sticky) will be removed when the switch is reset.

IMHO, there's no point to having port security if you don't set either the amount of accepted addresses on the port in dynamic, or set them to have static mac addresses.

Maybe this will help too:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.1_19_ea1/configuration/guide/swtrafc.html#wp1042596

--John

HTH, John *** Please rate all useful posts ***
0 Helpful

ece344609_2
Level 1
Level 1
In response to John Blakley

‎10-22-2008 07:30 AM

John,

Thanks for the speedy reply. I guess it was not apparent from the posted config but we do have a max address of 1 set for each port and it is dynamic.

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to ece344609_2

‎10-22-2008 07:34 AM

Yeah, I see that now :)

What happens if you ping the device that you put on after switching the cables? Does the port shutdown, or does it continue to work?

Can you post the actual config of the port?

sh run int fa0/1 (or whatever port it is)

John

HTH, John *** Please rate all useful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card