Port-security aging time and err-disable recovery

Hi guys,

Let's suppose i have this kind of configuration on my switch:

Switch(config-if)# switchport port-security aging time 1
Switch(config-if)# switchport port-security aging type inactivity
How should you know,according above,just one MAC is allowed,after 1 minute of host inactivity 
the MAC address is cleared and 
another MAC address can be allowed on that port.

Let's suppose too,a violation has happened and i pre-configured the err-disable recovery so that 
the switch try to recover from a violation 
after 2 minutes,when arrive the time of recovery,the MAC will have been cleared in this case??

Extra question...
This kind of flexibility is deployed by Cable ISPs on the ports oriented to the users?? 


  • Hi,

     1. How should you know that just one MAC is allowed and if another one is seen, violation occurs? Because that's the default unless you change it, you can verify this with "show port-security interface xyz" command.

     2. How should you know that once a MAC has been learned, after 1 minute of inactivity the MAC address is cleared and another MAC address can be learned? Because that's what your config does, you can verify this with "show port-security interface xyz" command, you can perform a test (connect a router and have no traffic being sent out on the port, ping, keep silent for one minute, verify that the old MAC address is no longer known by port-security).

    3. If configured violation is 'shutdown', becuse the port goes into a logical down state, it means all learned MAC addresses are gone ( the switch cannot keep in its CAM table MAC addresses learned on a port in the down state, makese sense, right?); so when err-disable recovery will re-enable the port, the first learned MAC address will be accepted and become secured, if a new MAC address is seen, violation happens again.

    4. This feature is enabled whenever you want the benefits of ths feature, not only by Cable ISPs.


Sign In or Register to comment.