@Sumantonnet
I have been playing around with port security on my physical switches, and I am having some issues configuring the max address command but I will get past that.
However, I think I may have found an answer to your question. Based on the port security lesson on this site and a Cisco article I have found the two commands in question do the same thing.
In this lesson, Rene states:
"It might be easier if the interface could recover itself after a certain time:
Switch(config)#errdisable recovery cause psecure-violation
Switch(config)#interface fa0/1
Switch(config-if)#switchport port-security aging time 10
You can change the aging time from 0 to whatever value you like with the switchport port-security aging time command. After 10 minutes it will automatically recover from err-disable state. Make sure you solve the problem though because otherwise it will just have another violation and end up in err-disable state again. Make sure you don’t forget to enable automatic recovery with the errdisable recovery cause psecure-violation command."
This indicated to me that the switchport port-security againg time 10 command recovers the port from being in the err-dsiabled state.
I also don’t believe that this command removes any mac addresses from the CAM table. From what I understand the way port security works is that mac addresses can be learned dynamically or statically depending on how the interface is configured, then once the limit of mac addresses is met or a mac address that has not been defined is seen on the interface the configured violation mode occurs. The new mac address that caused the issue is not even added to the table. So since the “bad macs” are never added they never need to be removed.
Also from what I am reading in the Cisco article below the command Errdiable recovery interval 300 is very similar to the Switchport port-security aging time 10 command.
Just to give you a little insight to the problem I am having (in case you can help me!) when I configure the command switchport port-security maximum 1 command I do not receive any errors but the command does not show in my running config. As a result, no mac addresses can be learned on that interface. I have tried this on two of my physical switches (2950 and 2960G 8 port)
all other port security commands will be found in the config for example:
int gi0/1
!
switchport mode access
!
switchport port-security
!
switchport port-security maximum 1
!
do sh run (switchport port-security maximum 1 is not in running config)
!
switchport port-security mac-address sticky
!
do sh run
(switchport port-security maximum 1 does not show in running config but switchport port-security mac-address sticky does)
when I run a debug port-security I get the following message when running the command
switchport port-security maximum 1
" PSECURE: psecure_addrs_fn: Max addresses per port = 8192"
it is almost like it ignores the value of my command, but it doesn’t add any maximum command to my running configuration.
@lagapides could you possibly help me understand why my command wont go into my configuration? Also, could you make sure I am not missing anything explaining port security to @Sumantonnet
Thanks All,
Scott