I'm trying to get serious with port-security and I'm running out ideas on how to get it to work with dynamic macs.
I've got a stack of 3750 running IOS Ver 12.1 (19).
My port config looks like this:
switchport access vlan 2
switchport mode access
switchport voice vlan 10
switchport port-security maximum 2
switchport port-security aging time 5
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos trust cos
no mdix auto
When I plug in my laptop into this port, it learns the mac directly and the show port-security table looks like this:
2 000f.1fbe.2669 SecureDynamic Fa4/0/27 5 (I)
and the ps interface settings like this:
3750-LL-1#show port-security interface fa4/0/27
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 5 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 000f.1fbe.2669:2
Security Violation Count : 0
When I unplug my laptop, the mac address is deleted completely from the switch and not stored for the aging time of 5 minutes as in the config thus making the port not unsafe.
I'm running out of steam and time on this one so pls help!
Sticky and static addresses work fine but I have to work with dynamic addresses.
What you are seeing is the normal behaviour. If a port transitions to the down state (you unplug the laptop) the secure MAC address is removed (it's removed from the CAM table as well). The aging time that is configured does not come into play if the port is down. If you leave the laptop plugged in and it doesn't send any packets for 5-minutes then its MAC will be removed from the port-security table (it will stay in the CAM table for the STP aging time, default being 300-seconds).
It sounds like you want a featute that isn't available - i.e. sticky MAC address with an aging timer?