Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

port-security aging time - what is it good for?

i enabled smartport desktop macro on a port on a 2960 switch.

in the cli it added

switchport port-security aging time 2

switchport port-security aging type inactivity

what do these commands do?

i read about aging and it seems that after 2 minutes of inactivity the connected devices MAC adress would be removed from table.

does that mean  that  after 2 minutes i can connect a different device and the second device will now be the only device allowed?

what kind of security is that?

thanks

  • LAN Switching and Routing
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

port-security aging time - what is it good for?

Hi Jacob,

Yes, you are correct. The above configuration would prevent attaching more than one end device to the port (using an additional switch, hub, access point, ...).

Best regards,

Peter

13 REPLIES
New Member

port-security aging time - what is it good for?

hi,

there are two types of aging you can configure:

1.)

absolute—the secure addresses on that port are deleted after the specified aging time.

2.)

inactivity—the secure addresess on this port are  deleted only if the secure addresses are inactive for the specified  aging time.

you have "inactivitiy" configured, which means that after 2 min(the time you have specified) the secure mac addresses are deleted.

this feature is useful if you want to grant access only for a certain time.

florian

New Member

port-security aging time - what is it good for?

thanks

what happens if the original device becomes active again after two minutes ?

or if i connect a different device after two minutes?

New Member

port-security aging time - what is it good for?

should depend on what you have configured in the first place with the "switchport port-security mac-address" command.

if you have configured static entries, then i guess either no device will be able to connect on this port anymore, or dynamic learning is used.

if you have configured dynamic entries with the "sticky" command then i would say the port will learn new mac addresses up to the max. number of mac addresses you have allowed on that port.

but never tried this myself so iam not sure.

csco, if you have the switch, just try it, as this is tested within 10min.

if you test let me know about the result.

someone else has experience about this?

florian

Cisco Employee

port-security aging time - what is it good for?

Hello Florian and Jacob,

You have to remember that port security is about

  1. allowing only stations with secure MAC addresses to communicate on a port
  2. allowing a secure MAC address to be located on a single secure port only

The first task is much more visible and prominent: you have a set of "allowed" (secure in Cisco parlance) MAC addresses, all other MAC addresses are disallowed on a port. These MAC addresses may either be configured statically, or learned dynamically, or learned dynamically and automatically added to the configuration (sticky).

The port does not care about the types of secure MAC addresses. If you have configured a maximum of 5 secure MAC addresses on a port and already added 2 of them statically, another 3 can always be learned dynamically on the fly. A security violation would ensue if there were already 5 secure MAC addresses in place, and a frame with yet another source MAC address came in, or if some of these 5 secure MAC addresses suddenly appeared as a source MAC of a frame received on a different secure port.

About aging - Florian is absolutely correct about the absolute and inactivity aging types. An important thing, again, to remember that aging is relevant in situations where the port remains connected. If a port gets disconnected and goes down, dynamic secure MAC addresses are flushed immediately (static and sticky secure MAC addresses will be retained). Hence, the configuration as added by Jacob makes sure that even if the port remains up, an inactive dynamically learned secure MAC address will be flushed after 2 minutes.

So, to Jacob's question:

what happens if the original device becomes active again after two minutes ?

or if i connect a different device after two minutes?

Nothing special will happen. If the port does not get disconnected, the dynamically learned secure MAC address will be flushed. Whichever device comes in after two minutes, its MAC address will be learned and it will be allowed to communicate.

If the port does get disconnected, the dynamically learned secure MAC address will be flushed immediately. A device will be allowed to communicate immediately after plugging it back (provided the maximum count of secure MACs has not already been used up by static/sticky secure MAC addresses).

In order to stop speculating into great depths, Jacob - would you mind posting the entire configuration of your interface?

Best regards,

Peter

New Member

port-security aging time - what is it good for?

thanks peter.

here is the config

interface GigabitEthernet1/0/1

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

the config was created by smartport desktop macro

i would like to understand what security such a config gives me,

and when you say "the port gets disconnected" do you mean physicaly or by by setting

Cisco Employee

port-security aging time - what is it good for?

Hello Jacob,

This configuration means:

  1. Only 1 secure MAC address is allowed (the command switchport port-security maximum is not visible meaning the default value of 1 is used). No static or sticky secure MAC addresses are defined so this single MAC address will always be dynamically learned.
  2. This dynamic secure MAC address will be flushed after 2 minutes of inactivity
  3. If a second MAC address is received on a port while the first dynamic secure MAC address is still active, the frames with the offending MAC address will be dropped and a message will be logged (the restrict type of violation reaction)

In other words, this configuration always allows at most a single device to access the network via the Gi1/0/1 port. The MAC address of this device will be flushed after 2 minutes of inactivity (this is actually relevant only if another switch was connected to the Gi1/0/1 port because a disconnection of the device on the second switch would not be noticed by your Gi1/0/1 port, and hence, there must be some limit after which old dynamic secure MAC addresses are removed - but if there is a device directly connected to the Gi1/0/1, after it is disconnected, the dynamic secure MAC will be flushed immediately).

and when you say "the port gets disconnected" do you mean physicaly or by by setting

Both. Either unplugging the cable or shutting down the port will result in dynamic secure MAC addresses being flushed.

Best regards,

Peter

New Member

port-security aging time - what is it good for?

Peter thanks for your patience.

if i understood correctly from your above post

the config would be usefull to block attempts to connect switches to the port

any other device  would not have a problem.

is that so?

Cisco Employee

port-security aging time - what is it good for?

Hi Jacob,

Yes, you are correct. The above configuration would prevent attaching more than one end device to the port (using an additional switch, hub, access point, ...).

Best regards,

Peter

New Member

port-security aging time - what is it good for?

Thanks!

2314
Views
5
Helpful
13
Replies
This widget could not be displayed.