switchport port-security

Discussion in 'Cisco' started by firewallstarter@hotmail.com, Nov 28, 2005.

  1. Guest

    All,
    I'm looking at switchport security on the Cisco switches we have on
    campus, 2950s & 4500s. I'm confused about the difference between the
    following commands

    conf t
    int fast 0/1
    switchport port-security mac-address H.H.H

    and

    conf t
    int fast 0/1
    switchport port-security mac-address sticky H.H.H


    Can anybody tell me why you would use the sticky command in this case
    and what the material difference between the 2 commands is?


    Thanks as ever for your assiatance.

    FWS
     
    , Nov 28, 2005
    #1
    1. Advertising

  2. Doan Guest

    On 28 Nov 2005 wrote:

    > All,
    > I'm looking at switchport security on the Cisco switches we have on
    > campus, 2950s & 4500s. I'm confused about the difference between the
    > following commands
    >
    > conf t
    > int fast 0/1
    > switchport port-security mac-address H.H.H
    >
    > and
    >
    > conf t
    > int fast 0/1
    > switchport port-security mac-address sticky H.H.H
    >
    >
    > Can anybody tell me why you would use the sticky command in this case
    > and what the material difference between the 2 commands is?
    >
    >
    > Thanks as ever for your assiatance.
    >
    > FWS
    >


    I hope this helps:

    "After you have set the maximum number of secure MAC addresses on a port,
    the secure addresses are included in an address table in one of these
    ways:

    - You can configure all secure MAC addresses by using the switchport
    port-security mac-address mac_address interface configuration command.

    - You can allow the port to dynamically configure secure MAC addresses
    with the MAC addresses of connected devices.

    - You can configure a number of addresses and allow the rest to be
    dynamically configured.

    Note If the port shuts down, all dynamically learned addresses are
    removed.

    - You can configure MAC addresses to be sticky. These can be dynamically
    learned or manually configured, stored in the address table, and added to
    the running configuration. If these addresses are saved in the
    configuration file, the interface does not need to dynamically relearn
    them when the switch restarts. Although sticky secure addresses can be
    manually configured, it is not recommended."

    http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00802c30af.html

    Doan
     
    Doan, Nov 28, 2005
    #2
    1. Advertising

  3. Guest

    Thanks for that info but I'm still unclear what the difference between
    the 2 commands is, if any. The Cisco statement

    "
    Although sticky secure addresses can be manually configured, it is not
    recommended.
    "

    does not give much away. I wonder why this is not recommended?


    Thanks,

    FWS

    Doan wrote:
    > On 28 Nov 2005 wrote:
    >
    > > All,
    > > I'm looking at switchport security on the Cisco switches we have on
    > > campus, 2950s & 4500s. I'm confused about the difference between the
    > > following commands
    > >
    > > conf t
    > > int fast 0/1
    > > switchport port-security mac-address H.H.H
    > >
    > > and
    > >
    > > conf t
    > > int fast 0/1
    > > switchport port-security mac-address sticky H.H.H
    > >
    > >
    > > Can anybody tell me why you would use the sticky command in this case
    > > and what the material difference between the 2 commands is?
    > >
    > >
    > > Thanks as ever for your assiatance.
    > >
    > > FWS
    > >

    >
    > I hope this helps:
    >
    > "After you have set the maximum number of secure MAC addresses on a port,
    > the secure addresses are included in an address table in one of these
    > ways:
    >
    > - You can configure all secure MAC addresses by using the switchport
    > port-security mac-address mac_address interface configuration command.
    >
    > - You can allow the port to dynamically configure secure MAC addresses
    > with the MAC addresses of connected devices.
    >
    > - You can configure a number of addresses and allow the rest to be
    > dynamically configured.
    >
    > Note If the port shuts down, all dynamically learned addresses are
    > removed.
    >
    > - You can configure MAC addresses to be sticky. These can be dynamically
    > learned or manually configured, stored in the address table, and added to
    > the running configuration. If these addresses are saved in the
    > configuration file, the interface does not need to dynamically relearn
    > them when the switch restarts. Although sticky secure addresses can be
    > manually configured, it is not recommended."
    >
    > http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00802c30af.html
    >
    > Doan
     
    , Nov 30, 2005
    #3
  4. Doan Guest

    The first one is straight forward, you know the mac-address on that
    port and you configure it so.

    The second one gives you more flexibility. The mac-address can be
    dynamically learned. The actual command you type in is:
    "switchport port-security mac-address sticky"
    The router then automatically add the command:
    "switchport port-security mac-address sticky H.H.H" once it learned
    the mac-addresss.
    You can also manually configured it but you might as well configure
    as in the first one.

    Doan


    On 30 Nov 2005 wrote:

    > Thanks for that info but I'm still unclear what the difference between
    > the 2 commands is, if any. The Cisco statement
    >
    > "
    > Although sticky secure addresses can be manually configured, it is not
    > recommended.
    > "
    >
    > does not give much away. I wonder why this is not recommended?
    >
    >
    > Thanks,
    >
    > FWS
    >
    > Doan wrote:
    > > On 28 Nov 2005 wrote:
    > >
    > > > All,
    > > > I'm looking at switchport security on the Cisco switches we have on
    > > > campus, 2950s & 4500s. I'm confused about the difference between the
    > > > following commands
    > > >
    > > > conf t
    > > > int fast 0/1
    > > > switchport port-security mac-address H.H.H
    > > >
    > > > and
    > > >
    > > > conf t
    > > > int fast 0/1
    > > > switchport port-security mac-address sticky H.H.H
    > > >
    > > >
    > > > Can anybody tell me why you would use the sticky command in this case
    > > > and what the material difference between the 2 commands is?
    > > >
    > > >
    > > > Thanks as ever for your assiatance.
    > > >
    > > > FWS
    > > >

    > >
    > > I hope this helps:
    > >
    > > "After you have set the maximum number of secure MAC addresses on a port,
    > > the secure addresses are included in an address table in one of these
    > > ways:
    > >
    > > - You can configure all secure MAC addresses by using the switchport
    > > port-security mac-address mac_address interface configuration command.
    > >
    > > - You can allow the port to dynamically configure secure MAC addresses
    > > with the MAC addresses of connected devices.
    > >
    > > - You can configure a number of addresses and allow the rest to be
    > > dynamically configured.
    > >
    > > Note If the port shuts down, all dynamically learned addresses are
    > > removed.
    > >
    > > - You can configure MAC addresses to be sticky. These can be dynamically
    > > learned or manually configured, stored in the address table, and added to
    > > the running configuration. If these addresses are saved in the
    > > configuration file, the interface does not need to dynamically relearn
    > > them when the switch restarts. Although sticky secure addresses can be
    > > manually configured, it is not recommended."
    > >
    > > http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00802c30af.html
    > >
    > > Doan

    >
    >
     
    Doan, Nov 30, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page