Static port security is a common configuration for printers, copiers and other devices on the network that never change. This lab will discuss and demonstrate the configuration and verification of “Sticky” switchport security.
If you completed the previous lab; Configuring Dynamic Switchport Security than you’ll be pretty much up to speed in this lab.
Dynamic port security is great but what about when you connect switches to routers or other devices that need to be secured in a way to prevent unauthorized device swapping in the network. For example you have a small site location with a 1841 router and a 3560-8pc switch and an end user gets the bright idea to swap the 1841 with a WRT54G because he wants wireless and wired network connectivity.
In this case you can sticky the port that the wan router is connected to preventing unauthorized device swaps like such.
There are two ways to configure a sticky port. The first way being that you configure a static MAC address when configuring port-security on a specific interface. The next way which is more convenient is to configure a “Sticky” MAC address and leave the max MAC addresses to its default value of one. When port-security is configured this way, the first MAC address learned on the switch port will be automatically statically configured into the running-configuration as if you manually specified the MAC address.
In this lab you will familiarize yourself with the following new commands;
|switchport port-security mac-address h.h.h||This command is executed in interface configuration mode and statically sets a MAC address that allows traffic with the source MAC to traverse the switch.|
|switchport port-security mac-address sticky||This command is executed in interface configuration mode and configures the port to dynamically learn the MAC address and automatically configure the MAC address as a static MAC address associated with the port.|
|clear port-security all interface interfacename#/#||This command is executed in privileged mode to erase the current secure mac-address table for a specified switch port.|
Step 1. – Enable port-security on SW1′s Fa0/1 interface and configure the interface to sticky the MAC address learned. Upon a port security violation, protect the port. Verify your configuration.
To enable port-security you’ll execute the switchport port-security command as previously learned in Lab 4-19. To configure the interface to sticky the MAC address dynamically learn use the switchport port-security mac sticky command in interface configuration mode as discussed at the beginning of this lab.
SW1 con0 is now available Press RETURN to get started. SW1>enable SW1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#interface fa0/1 SW1(config-if)#switchport port-security SW1(config-if)#switchport port-security mac sticky SW1(config-if)#switchport port-security violation protect SW1(config-if)#end SW1# %SYS-5-CONFIG_I: Configured from console by console SW1#
To verify your configuration you can use the following commands shown below;
SW1#show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 000f.242e.bf80:1 Security Violation Count : 0 SW1#show port-security interface fa0/1 address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 000f.242e.bf80 SecureSticky Fa0/1 - ------------------------------------------------------------------------ Total Addresses: 1 SW1#show run int fa0/1 Building configuration... Current configuration : 245 bytes ! interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 000f.242e.bf80 vlan access end SW1#
Step 2. – Change the MAC address on R1’s Fa0/0 to aaaa.aaaa.abcd then configure the same MAC address as a static MAC in port-security on SW1’s Fa0/1 interface. Verify your configuration.
Keep in mind as soon as you change the MAC address on R1′s Fa0/0 interface, R1 will no longer be able to communicate to any resources on the network as the MAC address is not in the secure mac-address table on SW1 Fa0/1, thus any received frames will be dropped.
R1 con0 is now available Press RETURN to get started. R1#enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface fa0/0 R1(config-if)#mac-address aaaa.aaaa.aaab R1(config-if)#end R1#
To resolve communication issue between R1 and SW1 due to the port-security violation after the MAC address on R1 has changed you’ll need to shutdown Fa0/1 and clear the secure mac-address table on that interface using the clear port-security all interface Fa0/1 command in privileged mode or configuration mode with the do command prefix. Afterward configure the new static MAC address using the switchport port-security mac aaaa.aaaa.aaab command.
SW1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#interface fa0/1 SW1(config-if)#shutdown %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down SW1(config-if)#do clear port-security all interface fa0/1 SW1(config-if)#switchport port-security mac-address aaaa.aaaa.aaab SW1(config-if)#no shut SW1(config-if)#end SW1# %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up SW1# %SYS-5-CONFIG_I: Configured from console by console SW1#
To verify that connectivity has been restored between R1 and SW1, ping SW1′s Vlan1 interface from R1;
R1#ping 10.1.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms R1#