Answer: Basic Port Security 2

No fluff – just straightforward config. First do the lab as listed in the earlier post, that is, try it for yourself. (For you test takers, the point is that you learn better if you try first – it’s not a punishment, but an opportunity!) Then come back here and check your answer and your logic.
Answers
Example 2: SW1 Config with Port Security Added
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security mac-address sticky ! interface FastEthernet0/2 switchport mode access switchport port-security switchport port-security mac-address sticky ! interface FastEthernet0/3 switchport mode access switchport port-security switchport port-security mac-address sticky ! interface FastEthernet0/4 switchport mode access switchport port-security switchport port-security mac-address sticky |
Commentary
Often the configuration of port security does not need to be overly complex. As long as a few basic points about a port security implementation are known, these include:
- Port Security is disabled by default
- Once enabled, each port is allowed only a single MAC address by default
- The default violation mode is to shutdown the port resulting in a port in the err-disabled state
- A violation occurs if a frame is received from a MAC address not in its secure MAC address table
- The port security feature is not supported on dynamic mode ports
Another configuration option of the port security feature is to automatically convert dynamically learned MAC addresses to static secure MAC addresses. So what does this mean? Normally when an address is learned it will be counted against the secure MAC address limit (remember the default is 1) but this MAC address will not be placed into the configuration – it’s just in an internal table used by the port security feature. Should the switch be rebooted, the MAC address linked to the interface will be reset to the first one it sees traffic from. The alternative to this is to statically configure the MAC addresses of every attached interface; this is a time consuming task that is not feasible for most administrators; the alternative is to use sticky learning.
When using sticky learning the interface will listen for a device (or devices) on an interface. The first MAC address that is seen on the interface will be placed into the running configuration as a statically configured secure MAC address (this also works for multiple MAC addresses should the maximum be increased from its default of 1). All the administrator needs to do is wait for all the expected devices to send traffic and be seen by the switch. Once this is done then the only task left is to save the configuration.
Following the configuration in order:
- The switchport mode access command changes the port from its default dynamic status to statically be an access port.
- The switchport port-security command enables port security with all defaults.
- The switchport port-security sticky command tells port security to record into the running-config any learned MAC addresses that are legal (in other words, those that are not considered violations).
- The relevant defaults are: 1 MAC address per port.
Finally, you could have configure the three subcommands as shown in Example 3, using the interface range command, to save some typing.
Example 3: Using the interface range Command to Save Typing
1 2 3 4 5 6 7 |
SW1# configure terminal SW1(config)# interface range FastEthernet0/1 - 4 SW1(config-if)# switchport mode access SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# end SW1# |
If I understand correctly, a hacker could still defeat the port security config above if they have access to AC power on the switch. Toggling power would allow a window of time for the hacker to plug in a laptop and have its mac-address be accepted as the first sticky address. If the user had saved the running-config to the startup config, that window would be eliminated. Am I correct?
Yes indeed, George. In real life, sticky is more of a way to discover the MACs once, and save them, rather than run the risk of special situations like the one you described.
Wendell
Thanks Wendell.
Just a thought on George’s comment.
If the power to the switch was toggled, then wouldn’t the fact that sticky was enabled on a port also be ‘forgotten’ on switch reboot (assuming that the running-coinfig hadn’t been previously saved to the startup-config)?. In fact, woudn’t *all* port-security be forgotten on reboot, if it wasn’t previously saved to the starup-config?
Hi Barbara,
Yes indeed! spot on.
Wendell
Hey, thank you for your dedication to us, Wendell. I’ve been learn so much with you.
The link Question to this Answer isn’t exist. Can you verify, pls?
You’re welcome, Roseli. My pleasure.
I fixed the link – thanks for letting me know.
Wendell
Hi,
is it sticky option default ? If it is, what is diference between default option and when we configure port security mac-address sticky?
Sanjin,
Short answer, no, sticky is not the default.
Sticky: dynamically learn, and then add a configuration command to running config, so if saved, it looks like a statically-configured address for port security.
Not sticky (ie leaving it out): dynamically learn, use the info, but do not create config and do not save the learned info across reloads.
Hi Wendell,
So if I understood correctly, once a port learns a mac address through sticky, if you save the running config to startup config, it will be “the same” as if you had manually assigned a mac address to that port? Thank you so much for your insight.
Regards
Nelson,
Correct! nice way to build the config when starting out – hoping that it’s not in the middle of some attack. 🙂
Was I wrong to do the following?
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address 0200.0000.1111
!
I’m guessing the sticky would dynamically learn PC1 MAC and save it since its the only one connected to the ports.. Is that why the mac-address entry table is not needed?