port security aging
smcclenaghan
Member Posts: 139
in CCNP
My understanding of port security is that aging defaults to 0 which means that MACs observed on a port do not age out.
In practice on a 2950, they seem to age out immediately when set to 0 (or anything else).
Switch-01#show clock
*00:44:45.707 UTC Mon Mar 1 1993
Switch-01#sho port-security interface fa0/24
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 000a.b8cf.6a97
Security Violation Count : 0
Switch-01#show clock
*00:44:58.655 UTC Mon Mar 1 1993
Switch-01#sho port-security interface fa0/24
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 000a.b8cf.6a96
Security Violation Count : 0
Switch-01#show clock
*00:45:09.039 UTC Mon Mar 1 1993
Switch-01#sho port-security interface fa0/24
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 000a.b8cf.6a95
Security Violation Count : 0
Switch-01#show clock
*00:45:17.711 UTC Mon Mar 1 1993
I repeated the test after changing the aging to 2 and got the same results.
Have I misunderstood something? I expected the "Total MAC Addresses" to increment during the 2 minute period (or during any period while aging was set to 0).
In practice on a 2950, they seem to age out immediately when set to 0 (or anything else).
Switch-01#show clock
*00:44:45.707 UTC Mon Mar 1 1993
Switch-01#sho port-security interface fa0/24
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 000a.b8cf.6a97
Security Violation Count : 0
Switch-01#show clock
*00:44:58.655 UTC Mon Mar 1 1993
Switch-01#sho port-security interface fa0/24
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 000a.b8cf.6a96
Security Violation Count : 0
Switch-01#show clock
*00:45:09.039 UTC Mon Mar 1 1993
Switch-01#sho port-security interface fa0/24
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 000a.b8cf.6a95
Security Violation Count : 0
Switch-01#show clock
*00:45:17.711 UTC Mon Mar 1 1993
I repeated the test after changing the aging to 2 and got the same results.
Have I misunderstood something? I expected the "Total MAC Addresses" to increment during the 2 minute period (or during any period while aging was set to 0).
Comments
-
smcclenaghan Member Posts: 139Ok, I'm stumped on this one.
I tried setting sticky just to see if maybe the aging only affected sticky MACs, but no. Aging has no effect on sticky MACs.
It's like without using sticky, the only way I can force the switchport into errdisable is to run 3 MACs concurrently. That can't be how this is supposed to work. I'm running Version 12.1(22)EA14. -
tomtom1 Member Posts: 375Did the link on fa0/24 go down during your testing, for example, if you plugged it into another device? How is the test performed? If the port goes down, the mac-address table is flushed for that port.
-
Alex90 Member Posts: 289Surely the port err-disables when you have 3 mac-addresses because you have the 'maximum 2' command configured?
-
smcclenaghan Member Posts: 139Hey,
I think I just may not understand how the port-security works. My tests on 2950 and 3750 were the same.
So help me understand.
Does the 'switchport port-security max <#>' indicate the number of CONCURRENT connections? If so, then I don't understand the point of aging. I originally thought that if aging were set to, say, 15 minutes, that I could connect five different devices within 15 minutes (one at a time, disconnecting one before connecting another), and the count of MACs should rise to 5.
As tomtom1 mentions above, when I disconnect an interface, that address is immediately flushed.
Ok, so what does aging do for me then?
Without sticky, if I understand this correctly, I can configure a max # of MACs which will only be remembered as long as they all remain connected.
Without sticky, it seems there is no way to configure a max of 5 MACS, for example, and ask that the switch remember those MACs whether or not they stay connected, unless I statically configure them.
WITH sticky, I still don't understand the point of aging, since the entries have permanently been written to the configs.
I feel like I'm missing something really basic here. So to sum up my post, I've got two questions.
1) Does 'switchport port-security max <#>' only track number of CURRENTLY CONNECTED mac addresses?
2) If so, what is the point of aging (with or without sticky)? -
networker050184 Mod Posts: 11,962 ModYes it's currently (within aging if configured or they don't age by default). There are no MACs if the port is down.
The point of aging is that once a MAC is learned the only way to remove it from port security is to reset it. Imagine you have an ip phone with a PC behind it. You want to use another PC there. Do you reset the whole thing every time? Or let the old PC MAC age out?An expert is a man who has made all the mistakes which can be made. -
smcclenaghan Member Posts: 139Ok, that makes some sense. I didn't think about it like that. It didn't occur to me to test multiple devices via the same port without changing cables.
I think I'll do that next just as a sanity check.
Thanks for the information.