I recently reevaluated how we do port security as a result of a recent customer’s information security audit. We normally turn on port security and set the maximum MAC addresses to 1 (the default) or 2 (if there is an IP phone connected). The default behavior is to disable the port when the MAC changes or if the number of concurrent MAC’s exceeds the maximum.
However during testing I discovered this didn’t work exactly like I expected. Port security was enforced as long as a device stayed connected to the port. If the port was disconnected, the switch would remove the pre-existing MAC’s and ANY new device could connect, as long as the maximum was not exceeded. While this prevents unauthorized hubs and switches, it doesn’t prevent someone from unplugging a device and plugging in a different unauthorized device.
The solution to this is to use the sticky option on the port security interface command:
-
switchport port-security – enables port security, optional “maximum <n>” to set the max greater than 1
-
switchport port-security mac-address sticky – turns on the sticky MAC feature
After enabling, you will notice the currently connected MAC address(es) will appear in the running config:
- switchport port-security
-
switchport port-security mac-address sticky
-
switchport port-security mac-address sticky 0080.6433.xxxx
This will stay in the config until the switch is rebooted, so it’s important to write the config. Continue reading “Cisco Port Security and Sticky MAC Addresses”