CAM aging time VS Port-security aging time

Similar Messages

• 3850 Port-Securty Aging-Time Issue

  Hello,
  we have configured Port-Security on the Cisco Catalyst 3850 Switches on all "access ports" like this:
  interface GigabitEthernet1/0/1
   switchport mode trunk
   switchport nonegotiate
   switchport port-security
   switchport port-security maximum 50
   switchport port-security aging time 2
   switchport port-security violation restrict
   switchport port-security aging type inactivity
  I connect my PC to a mini switche and connect this to the first 3850. Everything is working.
  Then I connect my PC to the second 3850 -> there is no connection. This is ok because of the aging time of 2 Minutes.
  Then I connect my PC to the third 3850 behind a telephone everything is working.
  After 5 to 10 Minutes I type "show mac address-table address x.x.x" on switch 1 and 3.
  Switch1#sh mac address-table address ecf4.bb01.078b
            Mac Address Table
  Vlan    Mac Address       Type        Ports
  2201    ecf4.bb01.078b    STATIC      Gi3/0/31
  Total Mac Addresses for this criterion: 1
  Switch3#sh mac address-table address ecf4.bb01.078b
            Mac Address Table
  Vlan    Mac Address       Type        Ports
  2201    ecf4.bb01.078b    STATIC      Gi6/0/24
  Total Mac Addresses for this criterion: 1
  My MAC-Address isn't aging out. And this means I can't connect to any other Port.
  After clearing port-security "clear port-security dynamic addressecf4.bb01.078b" everything is fine.

  Thanks for your reply.
  Why shouldn't it work? If I disconnect my PC I have no activity so my mac address should age out.
  So if I want to plug it in to another port after the aging time of 2 Minutes my MAC-Address will be learned and I have network connectivity. That's the plan... otherwise I will be locked out.

• Port Security Sticky Addresses

  Does anyone know if there is a way to automatically clear the mac address on a switchport that has port security sticky addressing enabled. I have the following configured on the port(s):
  switchport mode access
  switchport port-security
  switchport port-security aging time 1
  switchport port-security aging type inactivity
  switchport port-security mac-address sticky
  spanning-tree portfast
  I can't get it to release the sticky mac-address after the minute of inactivity. As soon as I try to connect another device to the port after the required inactivity, the port goes into an err-disabled state because it still sees the mac of the old device. Any help is appreciated. This is on a Catalyst 2950G switch.
  Josh

  It is not possible to age out sticky entries.  With sticky entries, they are added to the running config.  So the only way to remove it is through editing the running config....  If you enter the "no switchport port-security mac-address sticky" interface command, then the mac addresses will be learned dynamically, and will be aged out after 1 minute of inactivity, per your config ...

• Recommended port-security settings for ASA HA failover

  I have a pair of ASA 5510s configured in active/standby mode. I have already configured the failover settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. Here is the switch port config:
  interface GigabitEthernet0/8
  description ASA-Primary-Out
  switchport access vlan 200
  switchport mode access
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 500
  no cdp enable
  spanning-tree portfast
  spanning-tree bpduguard enable
  Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:
  %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?
  I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?

  Hello,
  This is expected because of the way ASA failover works. When a failover event occurs, the 2 units will swap their IP and MAC addresses (i.e. the Active unit is always using the same IP and MAC, but this role changes between the 2 physical units).
  Per the port-security config guide:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/swtrafc.html#wp1090391
  "...if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged."
  Since the MAC address moves to the other switchport when the failover happens, a violation is being logged.
  -Mike

• Packet drops on 2960 with port-security enabled

  Hello,
  We are using the following port-security configuration on user access ports on Cisco 2960 switches, in order to protect the infrastructure to prevent MAC flooding attacks:
  switchport port-security maximum 10 switchport port-security switchport port-security aging time 1 switchport port-security violation restrict switchport port-security aging type inactivity
  There is a problem with the more "quiet" hosts, especially in technology - every time the MAC address ages out, the first packets (an ARP request usually) sent by the host is dropped by the switch. There is no violation logged, the switch should be OK to forward the packets but doesn't:
  Port Security              : EnabledPort Status                : Secure-upViolation Mode             : RestrictAging Time                 : 1 minsAging Type                 : InactivitySecureStatic Address Aging : DisabledMaximum MAC Addresses      : 10Total MAC Addresses        : 0Configured MAC Addresses   : 0Sticky MAC Addresses       : 0Last Source Address:Vlan   : 0011.aabb.ccdd:11Security Violation Count   : 0
  When port-security is turned off, all packets are forwarded without trouble. This is happening on both WS-C2960-24TT-L and WS-C2960-8TC-L, with IOS 12.2(35)SE1 and 12.2(50)SE5, respectively. I didn't check other models yet.
  I have found similar reports and bugs for the 2950 and 3750:
  https://supportforums.cisco.com/thread/163910
  https://supportforums.cisco.com/message/89560
  https://tools.cisco.com/bugsearch/bug/CSCeg63177
  https://tools.cisco.com/bugsearch/bug/CSCec21652
  Is there anything we can do to fix this?
  Is there an access switch that would not suffer from this problem? (Like 2960-S maybe?)
  Thank you.

  Hi Alioune,
  This is expected behaviour on the Nexus 1000v Ethernet interfaces when the uplinks are configured with MAC pinning.
  When using MAC pinning there's no special configuration of the ports on the upstream physical switches and so any broadcast packets are sent by the upstream switches on all uplinks towards the Nexus 1000v switch.
  On each VEM of the Nexus there's one uplink interface that is chosen as the Designated Receiver for broadcast traffic, and the function of the DR is to forward received broadcast traffic to VMs within the VLAN. The broadcast traffic received on any other uplinks of the VEM i.e., those that are not the acting as DR, drop the received broadcast traffic on ingress to the VEM.
  The drops you're seeing on the uplink interfaces are almost certainly the broadcast traffic being received on one or more non DR uplinks.
  Regards

• TS1368 I want to delete a lot of things childrens stories, albums which are not used which that are on my ipad. However when I go through Itunes it wont show me most of the stuff in my library. it takes ages to delete one at a time.

  I want to delete a lot of things childrens stories, albums which are not used which that are on my ipad. However when I go through Itunes it wont show me most of the stuff in my library. it takes ages to delete one at a time.
  Can you help please?

  Thanks King_Penguin for taking time to read and reply. 
  I just purchased this movie on Thursday, May 15, so just a few days ago.  I have never had any trouble whatsoever since I have been in Vietnam.  I have downloaded several movies and even music and they have all synced to my respected Apple products except for this purchase. 
  Sorry, I don't quite understand what you mean by studios and different versions.  Could you please explain? 
  I checked my purchased list in my purchase history under my account and there are no hidden items. 

• My high school aged child is spending too much time on Facebook, Tumblr to the detriment of home work.  Is there any way I can limit the access to these sites to between 8pm and 10pm?

  My high school aged child is spending too much time on Facebook and Tumblr is there any way I can limit the access time  on these sites to  from 8pm to 10pm?

  System Preferences>Parental Controls has time limits - check out this intro to Parental Controls from Cult of Mac on YouTube.
  Clinton

• Windows 10: Is now the time to replace your aging PC?

  Windows 10 is a pretty big deal right now. You can bet that by now, millions of PC users will have downloaded Microsoft’s new operating system and will be playing with the new features like Cortana. But what if your computer is showing its age? Now might be the time to replace it. Upgrade to a new PC and you can be sure your hardware can take full advantage of Windows 10’s new features and if your existing PC is running an older version of Windows, you’ll save a chunk of cash by not having to pay for the upgrade.

  Paragraphs 2 to 6
  A new Mac will solve all those problems.
  Paragraph 7
  It is time to get a new MacBook Pro for better experience.
  No. Apple does not have a trade-in policy.
  No possibility of a virus causing these problems.
  Best.

• Two cameras, but only one works at a time, need help

  I've gone over the messages here but not found any answers to my type of problem.  I have two WVC54GCAs both have static IPs on my lan and I can view them both fine from there. 
  I forwarded the port for one to 47624 and the other to 47625 in my router at home and in the camera configuration I specified to use these alternate ports instead of the default 80 port.  When I get in to work and try to view them over the internet by their ip address and port# (e.g. http://22.22.22.222:47624) I get a timeout error, but I can see one if I go to port 22.22.22.222:80 (even though the port I specified in the camera setup was an alternate port).  I used dyndns open port testing tool (http://www.dyndns.com/support/tools/openport.html) which shows 47624 and 47625 are both open ok. 
  I can log into my router on 22.22.22.222:8080 from work and the router logs show that the dyndns tool connected to the router via these ports upon testing.  I was using a Netgear router and thought that might be the problem, so went out and got a Linksys wRT54G2 router to see if that worked better, but have the same issue as with the Netgear.  Here's the weird part, if I go into the router from work and change one of the cameras to forward to port 80 instead of the alternate port I'd set for it, I can view that camera on port 80 despite the camera config still set to use an alternate port.  So then when I take the first camera off port 80 in my router and change the second one to port 80, I can view the second one as well that way.  I have Comcast as my ISP and a Motorola SB5100 cable modem and can't figure out why I am unable to bring them up over the internet using the alternate port settings I specified.  I've spent a lot of time on this, I'd really appreciate any help or other suggestions on what to do.
  Solved!
  Go to Solution.

  As far as I know, all Comcast modems are just bridges...no firewalls in them at all.... The other possibility is that your IT dept at work is blocking the traffic...have you tried this from any other place outside your LAN?
  Tomato 1.25vpn3.4 (SgtPepperKSU MOD) on a Buffalo WHR-HP-G54
  D-Link DSM-320 (Wired)
  Wii (Wireless) - PS3 (Wired), PSP (Wireless) - XBox360 (Wired)
  SonyBDP-S360 (Wired)
  Linksys NSLU2 Firmware Unslung 6.10 Beta unslung to a 2Gb thumb, w/1 Maxtor OneTouch III 200Gb
  IOmega StorCenter ix2 1TB NAS
  Linksys WVC54G w/FW V2.12EU
  and assorted wired and wireless PCs and laptops

• How can I test the usb port on my Time Capsule to see if it is working?

  Ever since lightening struck nearby (which took out our internet and copy machine) the printer I had connected to the usb port on my Time Capsule in my office has has failed to print through the TC. I can plug the printer directly into my MacBookAir and can print just fine. So there is nothing wrong with the printer nor the usb cable.
  I've turned off and unplugged the printer with the usb cable connected & disconnected to the TC, no change. I've unplugged the TC, no change. I've opened the printer utility several times, and always get the "offline" error. I open the print queue, and it says the printer is not connected. I reinstalled the driver for the printer, still the same thing.
  I'm starting to wonder if the usb port on my Time Capsule got fried. Any help anyone can give in trying to see if the usb port even functions anymore would be greatly appreciated.
  My Time Capsule is model no. A1409.

  Power is not likely to be killed .. it is the data components that are more fragile.
  So you do have power which as you say is why the USB flashes.. but you don't have signal.
  The only other thing you can do is use USB powered hub.. if you have one handy.. but I would not go out and buy one.
  A damaged board is impossible (at cost less than replacement TC) to repair. And repairers do not like working on stuff damaged by lightning as components that did survive were stressed.. the transistor junctions become liable to fail at any time.. so you repair it and it just keeps coming back as not working. Sorry if you cannot use it without USB junk it and buy a replacement. A second hand Gen3 is about the best of them it seems.
  You can also buy an ethernet to USB print server.. but a new ethernet or wireless network printer is probably near to the same price.
  You can hunt ebay for second hand USB print servers.. or airport express, extreme or TC.. often you can find something suitable for just a few dollars if you shop well. Since you don't need the latest greatest to do this sort of job.. and people are disposing of things like USB print servers as soon as they buy network printers.

• How to plug a hard drive on the USB port of a Time Capsule. TC in bridge mode

  Hello
  I would like to connect a hard drive onto the USB port of a Time Capsule. This is for saving files (different frome the Time Machine savings). I am struggling to get it working it seems that I can see the HD when under "drives or discs" (running Snow Leopard in French) from the AirPort Utility but I can't access to it.
  The TC is in bridge mode.
  Thanks for help and guidances.
  Best
  Pierre

  The question is clear enough.. I just don't understand why you are having issues.
  Can you see in the internal disk of the TC in the finder?
  What format are you using on this disk? Try and format it HFS+ if it isn't already.
  If you plug it directly into the Mac it works ok??
  The other issue is the need for a powered hub on the TC due to the low power it gives the internal port.. or lack of bios compatibility with a range of usb hub chips. Try a powered hub as that can also help.

• HT4356 I have an older HP connected to the usb port of my Time Machine, and have it shared.  I want to print from my iPhone on the network, but it can not be found in airport?  How do I make this work?

  I have an older HP connected to the usb port of my Time Machine, and have it shared.  I want to print from my iPhone on the network, but it can not be found in airport?  How do I make this work?

  AirPrint printers connected to the USB port of the Apple AirPort Base Station or Time Capsules are not supported with AirPrint.
  Read through this for information about Airprint printers and how to use them:
  http://support.apple.com/kb/ht4356

• I can't seem to connect to my lion vpn, all web services I set up work well like wikis and what not. I get a security error 792 Connection attempt failed because security negotiation times out. Please help

    I get error 792 Connection attempt failed because security negotiation time out. I am trying to connect a xp machine to my vpn.

    I get error 792 Connection attempt failed because security negotiation time out. I am trying to connect a xp machine to my vpn.

• UCCX8 Is there a log or report that shows IVR/CTI port availability over time

  Question:
  Is there a log or report that shows IVR/CTI port availability over time?
  Objective:
  We are trying to determine if, when doing a Call Redirect step, the IVR/CTI port stays the same or the port is made available by the first script and the second script, where the Call Redirect is redirecting to, has to reserve its own IVR/CTI port.
  What we have done already:
  We limited the Call Control Group to 1 CTI port and ran the scripts that do the Call Redirect step and it worked fine, so we are assuming that there is not a point where the transfer takes up two IVR/CTI ports at the same time.
  -Lauren

  Hi,
  if it's UCCE, then if I remember that correctly, there is a webview report that would tell you Network Trunk Group utilization. Or, actually, you can extract this information yourself from the HDS table named Trunk_Group_Half_Hour.
  G.

• Port mapping in Time Machine

  I cannot see where in Time Machine I can set port mapping. There should be a drop down box for set up service. I'm trying to access Echolink.

  I cannot see where in Time Machine I can set port mapping.
  Time Machine is software to back up your Mac to a hard drive.  Won't be anything about port mapping there.
  Maybe you meant to ask about a Time Capsule?  If yes, Port Mapping is set up using AirPort Utility on your Mac. It is located as follows: Finder > Applications > Utilities > AirPort Utility.
  Hold down the option key on your Mac while you double click on the picture of the Time Capsule
  Click the Network tab
  IF.....the Time Capsule has been configured to provide DHCP and NAT service for the network, you will see the Port Mapping Setup there.
  IF....the Time Capsule has been setup to work with your modem/router in Bridge Mode, the Port Mapping settings are greyed out and cannot be accessed. Port Mapping service must be set up on your modem/router.....not on the Time Capsule.
  For more information about Port Mapping Basics, see this excellent User Tip for forum expert Tesserax:
                   AirPort - Port Mapping Basics using AirPort Utility v6.x