Cisco Port Security and Sticky MAC Addresses

Posted on October 4, 2008 11:08 PM

I recently started reevaluating how we do port security as a result of a recent customer's information security audit.  We normally turn on port security and set the maximum MAC addresses to 1 (the default) or 2 (if there is an IP phone connected).  The default behavior is to disable the port when the MAC changes or if the number of concurrent MAC’s exceeds the maximum.

However during testing I discovered this didn’t work exactly like I expected.  Port security was enforced as long as a device stayed connected to the port.  If the port was disconnected, the switch would remove the pre-existing MAC’s and ANY new device could connect, as long as the maximum was not exceeded.  While this prevents unauthorized hubs and switches, it doesn’t prevent someone from unplugging a device and plugging in a different unauthorized device.

The solution to this is to use the sticky option on the port security interface command:

  • switchport port-security – enables port security, optional “maximum <n>” to set the max greater than 1
  • switchport port-security mac-address sticky – turns on the sticky MAC feature

After enabling, you will notice the currently connected MAC address(es) will appear in the running config:

  • switchport port-security
  • switchport port-security mac-address sticky
  • switchport port-security mac-address sticky 0080.6433.xxxx

This will stay in the config until the switch is rebooted, so it’s important to write the config.

Other related commands:
  • show port-security address – lists all the learned MAC addresses by interface
  • show port-security interface fa0/1 – shows the detailed port security settings for an interface, including enable/disable status
  • clear port-security sticky interface fa0/1 – clears the learned sticky MAC addresses, must be done prior to a shut/no shut to re-enable a port disabled due to port security

When you use sticky MAC addresses you'll want to make sure that the MAC addresses are cleared off of a switch when a device is moved.  We had a laptop that was moved from one client location to another and one of the distribution switches was thinking the device was plugged into the old switch and the other distribution switch thought it was plugged ito the new switch.  This created a situation where some network traffic was reaching the laptop and some was going into a black hole.  After clearing the the sticky MAC addresses on the old switch the problem was resolved.

Update:  You might also be interested in a couple stick MAC address tips.

Related Posts

Comments

Comment by hattani

April 30, 2009 1:50 AM

Or you could set the aging time to 0

Comment by techexams.net

December 9, 2009 7:12 AM

Pingback from techexams.net

Port Security - Real World Advice\Experience - TechExams.net IT Certification Forums

Comment by Tom

March 30, 2010 12:19 PM

If you set aging to 0 ( Switch# switchport port-security aging time time in minutes ), then you have effectively disabled aging.

Comment by Tom

March 30, 2010 12:21 PM

sorry, that is a global interface command: Switch (config-if)# (...)

Comment by Mike

July 12, 2010 1:39 PM

clear port-security interface sticky fa0/1
sticky comes before interface with this command. if you type it this way, it will not work.

Comment by firstcomputer.interactiveinfonet.info

August 23, 2010 4:59 PM

Pingback from firstcomputer.interactiveinfonet.info

First computer - First computer - Computer first invented when

Comment by cherrytable.interactiveinfonet.info

September 14, 2010 3:51 PM

Pingback from cherrytable.interactiveinfonet.info

Cherry end glass modern table wood - Cherry wood - Cherry table

Comment by Matt

October 11, 2011 2:21 PM

Use sticky port in protect mode. This will keep the first <n> allowed in the table and denie any other "with out" disableing the port. If you swap out a device then the port will have to be cleared of the old before it can be used again.

Now here is my problem. Can I use the "clear port-security sticky all" command with out disrution of service to the rest of the users. If a device is added to a port that has not been clear it does not show up in the arp table.

Comment by Janneman

May 16, 2013 6:46 PM

Imho 'sticky mode' gives you -at best- a false idea of security. When introduced most NIC's would only support the burnt-in (globally unique) MAC address, but nowadays it is very simple to clone the MAC address of the allowed PC in the network. If you do want to prevent rogue users to connect to your network you should use dot1x / IEEE 802.1x features and require that a PC uses computer/machine credentials to logon to the company (data v)LAN.
To allow non dot1x devices to connect to the LAN you can use MAC bypass; but as that is for the same reasons not secure as sticky mode, you should assign them to a VLAN that gives only limited access: eg a VOIP vlan (with no access to data network) or printer VLAN (only traffic terminating on attached devices allowed and/or only some sort of traffic/tcp-ports allowed). If you would pass a security audit because you use sticky mode your audit is not good enough!

Add Comment





[b][/b] - [i][/i] - [u][/u]- [quote][/quote]