3850 Port-Securty Aging-Time Issue

stefan.unterreitmeier · ‎11-10-2014

Hello,

we have configured Port-Security on the Cisco Catalyst 3850 Switches on all "access ports" like this:

interface GigabitEthernet1/0/1
switchport mode trunk
switchport nonegotiate
switchport port-security
switchport port-security maximum 50
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity

I connect my PC to a mini switche and connect this to the first 3850. Everything is working.
Then I connect my PC to the second 3850 -> there is no connection. This is ok because of the aging time of 2 Minutes.
Then I connect my PC to the third 3850 behind a telephone everything is working.
After 5 to 10 Minutes I type "show mac address-table address x.x.x" on switch 1 and 3.

Switch1#sh mac address-table address ecf4.bb01.078b

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

2201 ecf4.bb01.078b STATIC Gi3/0/31

Total Mac Addresses for this criterion: 1

Switch3#sh mac address-table address ecf4.bb01.078b

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

2201 ecf4.bb01.078b STATIC Gi6/0/24

Total Mac Addresses for this criterion: 1

My MAC-Address isn't aging out. And this means I can't connect to any other Port.

After clearing port-security "clear port-security dynamic addressecf4.bb01.078b" everything is fine.

devils_advocate · ‎11-10-2014

I don't think the aging timeout works between switches, I believe its only applicable to one switch at a time.

stefan.unterreitmeier · ‎11-10-2014

Thanks for your reply.

Why shouldn't it work? If I disconnect my PC I have no activity so my mac address should age out.

So if I want to plug it in to another port after the aging time of 2 Minutes my MAC-Address will be learned and I have network connectivity. That's the plan... otherwise I will be locked out.