Switch Security Issues
Port security with sticky MAC addresses

Port Security can be used to mitigate spoof attacks by limiting access through each switch port to a single MAC address. This prevents intruders from using multiple MAC addresses over a short period of time but does not limit port access to a specific MAC address. The most restrictive Port Security implementation would then specify the exact MAC address of the single device that is to gain access through each port. Implementing this level of security, however, requires considerable administrative overhead.

Port Security has a feature called "sticky MAC addresses" that can limit switch port access to a single, specific MAC address without the network administrator having gather and manually associate the MAC address of every legitimate device with a particular switch port.

When sticky MAC addresses are used, the switch port will convert dynamically learned MAC addresses to sticky MAC addresses and subsequently add them to the running configuration as if they were static entries for a single MAC address to be allowed by Port Security. Sticky secure MAC addresses will be added to the running configuration but will not become part of the startup configuration file unless the running configuration is copied to the startup configuration after addresses have been learned. If they are saved in the startup configuration, they will not having to be relearned upon switch reboot and this provides a higher level of network security.

The following command will convert all dynamic Port Security learned MAC addresses to sticky secure MAC addresses.

switchport port-security mac-address sticky

This command can not be used on ports where voice VLANs are configured.