Switchport Port-Security using Sticky-MAC
Restricts a switch port to only allow traffic for specific MAC addresses. Addresses can be dynamically learned, or statically defined, and can range from 1 MAC to 3072 different MACs on that port.
Restricts a switch port to only allow traffic for specific MAC addresses. Addresses can be dynamically learned, or statically defined, and can range from 1 MAC to 3072 different MACs on that port.
Go under the interface you wish to secure and configure it similar to below:
Interface GigabitEthernet0/4
description STICKY_MAC_PORT_SECURITY
switchport access vlan 11
switchport mode access
switchport port-security
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security maximum {value} <-- Optional, sets number of MACs to allow, default is 1.
switchport port-security mac-address {mac_address} <-- to manually specify a MAC that's allowed, or multiple MACs allowed.
!
To view the MAC permitted on the interface:
show port-security address
!
After your port learns the MAC address of the device connected to the switch port, you'll see a line similar to this, having been added to the interface config:
switchport port-security mac-address sticky 18a9.05d6.3f7e vlan access
(Optional) To set the ports to auto-recover from the err-disabled state, rather than have to shut / no shut them manually:
errdisable recovery cause psecure-violation
errdisable recovery interval 60
!
end
With the errdisable recovery, the port will try to come back online, but if the plugged in device does not match the MAC stored in the switchport, it just goes back to errdisable right away. If the person removes the “bad” device and puts the “allowed” device back into the port (the one matching the MAC stored on the switch) the port comes back online and works normal again after the 60 second window expires.
This command clears the MAC address learned on the port, in case you want to replace the device with something else on that same port:
clear port-security sticky interface GigabitEthernet0/4
To clear ALL sticky MAC's learned dynamically on the switch, use the “clear port-security dynamic” command.
Interface GigabitEthernet0/4
description STICKY_MAC_PORT_SECURITY
switchport access vlan 11
switchport mode access
switchport port-security
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security maximum {value} <-- Optional, sets number of MACs to allow, default is 1.
switchport port-security mac-address {mac_address} <-- to manually specify a MAC that's allowed, or multiple MACs allowed.
!
To view the MAC permitted on the interface:
show port-security address
!
After your port learns the MAC address of the device connected to the switch port, you'll see a line similar to this, having been added to the interface config:
switchport port-security mac-address sticky 18a9.05d6.3f7e vlan access
(Optional) To set the ports to auto-recover from the err-disabled state, rather than have to shut / no shut them manually:
errdisable recovery cause psecure-violation
errdisable recovery interval 60
!
end
With the errdisable recovery, the port will try to come back online, but if the plugged in device does not match the MAC stored in the switchport, it just goes back to errdisable right away. If the person removes the “bad” device and puts the “allowed” device back into the port (the one matching the MAC stored on the switch) the port comes back online and works normal again after the 60 second window expires.
This command clears the MAC address learned on the port, in case you want to replace the device with something else on that same port:
clear port-security sticky interface GigabitEthernet0/4
To clear ALL sticky MAC's learned dynamically on the switch, use the “clear port-security dynamic” command.