Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5736
Views
40
Helpful
8
Replies

Cisco port security - static vs sticky+static

Go to solution
SJ K
Level 5
Level 5

‎09-20-2017 09:26 AM - edited ‎03-08-2019 12:06 PM

I don't see a different between the two. Both make it to the running config.

1) sticky + static

    Switch1(config-if)#switchport port-security mac-address sticky ?
      H.H.H  48 bit mac address

    Switch1(config-if)#switchport port-security mac-address sticky ae11.be22.ce33

 

2) static only

    Switch1(config-if)#switchport port-security mac-address ?
      H.H.H   48 bit mac address

    Switch1(config-if)#switchport port-security mac-address ae12.be22.ce33

 

In Running Config

   

 interface GigabitEthernet1/0/17
     switchport access vlan 4
     switchport mode access
     switchport voice vlan 5
     switchport priority extend trust
     switchport port-security maximum 5
     switchport port-security mac-address sticky
     **switchport port-security mac-address sticky ae11.be22.ce33
     switchport port-security mac-address ae12.be22.ce33**
     duplex full
     mls qos trust cos
     spanning-tree portfast
     spanning-tree bpduguard enable

!

 

Confused.

 

Regards,

Noob

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Meheretab Mengistu
Level 7
Level 7

‎09-20-2017 10:22 AM - edited ‎09-20-2017 10:25 AM

Hi Noob,

The difference is in the purpose of the command itself. You do not need "sticky" option if you are going to configure the mac-address manually. The main reason you have the option is to 'stick' the dynamically learned mac-address to the port.

 

In some platforms (eg. in 3650 running (CAT3K_CAA-UNIVERSALK9-M), Version 03.07.01E ) you are not even allowed to run "sticky" with manually assigned MAC addresses.


HTH,
Meheretab

HTH,
Meheretab

View solution in original post

Go to solution
RyanB
Level 1
Level 1

‎09-20-2017 12:08 PM - edited ‎09-20-2017 12:15 PM

One thing I noticed with your configuration, port-security is not yet enabled.

You MUST enable port-security using the command: switchport port-security

 

interface GigabitEthernet0/0
 switchport mode access
 switchport port-security maximum 4
 switchport port-security violation restrict
 switchport port-security mac-address 0050.7966.6800
end

Switch#show port-security int g0/0
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Restrict
<truncated>

 

interface GigabitEthernet0/0
 switchport mode access
 switchport port-security maximum 4
 switchport port-security violation restrict
 switchport port-security mac-address 0050.7966.6800
 switchport port-security
end

Switch#show port-security int g0/0
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict

 

 

I dont see any functional different between the two specifications of MAC addresses, however Cisco recommends against specifying a MAC address with the sticky command. I have also heard that with newer versions of IOS the option is removed, but I cant confirm first hand.

 

 

If at some point you decide to disable port-security sticky, all the manually configured and learned sticky mac-addresses will also be removed. Where as the other statically configured MAC address will remain.

 

 

View solution in original post

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni

‎09-20-2017 04:01 PM - edited ‎09-20-2017 04:03 PM

Hi

I think other members have provided great answers, basically:

Sticky method will learn the Host's MAC address automatically once any host is connected to the port. 

Static method you will assign the MAC address in order to say, just these MAC addresses are allowed to be connected to this port. 

I don't like to recommend the static method because it could generate a complex management. 

 

With sticky, I recommend use these commands:

 

switchport port-security aging type inactivity
switchport port-security aging time <time in minutes>

 

It is useful to refresh and remove the inactive MAC addresses. 

 

Hope it is useful

:-)

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

8 Replies 8

Go to solution
Meheretab Mengistu
Level 7
Level 7

‎09-20-2017 10:22 AM - edited ‎09-20-2017 10:25 AM

Hi Noob,

The difference is in the purpose of the command itself. You do not need "sticky" option if you are going to configure the mac-address manually. The main reason you have the option is to 'stick' the dynamically learned mac-address to the port.

 

In some platforms (eg. in 3650 running (CAT3K_CAA-UNIVERSALK9-M), Version 03.07.01E ) you are not even allowed to run "sticky" with manually assigned MAC addresses.


HTH,
Meheretab

HTH,
Meheretab

Go to solution
RyanB
Level 1
Level 1

‎09-20-2017 12:08 PM - edited ‎09-20-2017 12:15 PM

One thing I noticed with your configuration, port-security is not yet enabled.

You MUST enable port-security using the command: switchport port-security

 

interface GigabitEthernet0/0
 switchport mode access
 switchport port-security maximum 4
 switchport port-security violation restrict
 switchport port-security mac-address 0050.7966.6800
end

Switch#show port-security int g0/0
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Restrict
<truncated>

 

interface GigabitEthernet0/0
 switchport mode access
 switchport port-security maximum 4
 switchport port-security violation restrict
 switchport port-security mac-address 0050.7966.6800
 switchport port-security
end

Switch#show port-security int g0/0
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict

 

 

I dont see any functional different between the two specifications of MAC addresses, however Cisco recommends against specifying a MAC address with the sticky command. I have also heard that with newer versions of IOS the option is removed, but I cant confirm first hand.

 

 

If at some point you decide to disable port-security sticky, all the manually configured and learned sticky mac-addresses will also be removed. Where as the other statically configured MAC address will remain.

 

 

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni

‎09-20-2017 04:01 PM - edited ‎09-20-2017 04:03 PM

Hi

I think other members have provided great answers, basically:

Sticky method will learn the Host's MAC address automatically once any host is connected to the port. 

Static method you will assign the MAC address in order to say, just these MAC addresses are allowed to be connected to this port. 

I don't like to recommend the static method because it could generate a complex management. 

 

With sticky, I recommend use these commands:

 

switchport port-security aging type inactivity
switchport port-security aging time <time in minutes>

 

It is useful to refresh and remove the inactive MAC addresses. 

 

Hope it is useful

:-)

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Go to solution
SJ K
Level 5
Level 5
In response to Julio E. Moisa

‎09-20-2017 07:50 PM

Thank you all for replying.

 

Just a last question on the reason for enabling port securty

-  if we allow dynamic learning, it means we allow different kind of devices to be connected &

- we are just limiting the amount of devices that can be connected to that switchport.

 

Maybe i am not seeing the full picture, What good use would that be to limit the amount of devices that can be connected to a switch port ? I just need 1 rouge device to cause damage, isn't it ?

 

0 Helpful

Go to solution
RyanB
Level 1
Level 1
In response to SJ K

‎09-20-2017 08:41 PM

The primary reason is to prevent rogue switches from allowing unauthorized access to your network or even STP problems resulting from that switch.

 

A common set up in the real world for end users is often to have a maximum of 2 permitted MAC addresses, 1 for the VoIP phone, and 1 for the PC end station piggy backing off the VoIP phone.

 

If someone brought in a simple switch and plugged it in in place of the VoIP phone, they can potentially allow access to different devices into the network (for example, personal laptops, which could have viruses or other malware which could impact users on your network).

 

By limiting the MAC addresses to 2, preferably manually configured to be the most secure, you can rest assured that only those 2 devices will be permitted to send frames. Although, this doesnt stop a user from SPOOFING a MAC address on their device to gain access.

Go to solution
SJ K
Level 5
Level 5
In response to RyanB

‎09-20-2017 10:33 PM

Hi Ryan,

All my access ports have bpdu guard, so rouge switch with STP is unlikely to cause damage.

Users sometimes have more then 2 device (phone + pc) connected,
and if they really want to get away , they can always connected to a router(with built-in switchports) ?

Regards,
Noob
0 Helpful

Go to solution
RyanB
Level 1
Level 1
In response to SJ K

‎09-21-2017 01:27 PM

Yup, they can do that too.
This is where 802.1x can help.

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to SJ K

‎09-21-2017 01:43 PM

Hi

That is correct, you will allow different kind of devices to be connected to the port until the maximum MAC address allowed is completed. For example if you set up maximum of 5 under a port, you can connect 5 different devices on that port, a 6th device could disable the port or just send a message to inform, it depends of the type of violation configured.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Customers Also Viewed These Support Documents