Hello Hussein.
That’s a very good point, and yes, it requires clarification.
In order for port security to function, the “allowed” MAC addresses are configured for each port. These are the secure addresses. Now there are several ways a switch can learn these addresses: Statically or dynamically.
The statically configured MAC addresses for port security DO NOT age out. They are permanent. These are the addresses that are configured using the command:
switchport port-security mac-address 1000.2000.3000
The switchport port-security aging time command only affects dynamically learned MAC addresses. These are the addresses that are configured using the command:
switchport port-security
So, the switchport port-security aging time command applies to MAC addresses learned in this way. However, when the the aging time expires, it does NOT mean that protection will be cancelled. It just means that the dynamically learned MAC address is no longer associated with the port. However, port-security is still configured, so the MAC address will just be “relearned”.
For example, let’s say I configure FastEthernet 0/3 with port security and allow only one MAC address to be dynamically learned. In other words:
Switch(config)#interface FastEthernet 0/3
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
And I put an absolute timer of 60 minutes for aging out like this:
Switch(config-if)#switchport port-security aging type absolute
Switch(config-if)#switchport port-security aging time 60
I plug in my laptop, the MAC address is learned and I can use it for 60 minutes. During that 60 minutes, if I remove it and place another device on the port, port-security will kick in and the device will not connect. After the 60 minutes are up, the MAC address is aged out. At that time, the MAC address of the connected device (either my original laptop or another device) will be relearned and port security will still be functioning for another 60 minutes.
If I choose to useaging type inactivity, then after 60 minutes of inactivity the MAC addresses will be aged out and a new MAC address will be learned.
I hope this has been helpful!
Laz