Port Security can be used to mitigate spoof attacks by limiting access
through each switch port to a single MAC address. This prevents intruders from
using multiple MAC addresses over a short period of time but does not limit
port access to a specific MAC address. The most restrictive Port Security
implementation would then specify the exact MAC address of the single device
that is to gain access through each port. Implementing this level of security,
however, requires considerable administrative overhead.
Port Security
has a feature called "sticky MAC addresses" that can limit switch
port access to a single, specific MAC address without the network administrator
having gather and manually associate the MAC address of every legitimate device
with a particular switch port.
When sticky MAC addresses are used, the
switch port will convert dynamically learned MAC addresses to sticky MAC
addresses and subsequently add them to the running configuration as if they
were static entries for a single MAC address to be allowed by Port Security.
Sticky secure MAC addresses will be added to the running configuration but will
not become part of the startup configuration file unless the running
configuration is copied to the startup configuration after addresses have been
learned. If they are saved in the startup configuration, they will not having
to be relearned upon switch reboot and this provides a higher level of network
security.
The following command will convert all dynamic Port Security
learned MAC addresses to sticky secure MAC addresses.
switchport port-security mac-address
sticky
This command can not be used on ports where
voice VLANs are configured.