TechLibrary

Navigation Back up to About Overview

Understanding Persistent MAC Learning (Sticky MAC)

Persistent MAC learning, also known as sticky MAC, is a port security feature that allows retention of dynamically learned MAC addresses on an interface across restarts of the switch (or if the interface goes down).

Persistent MAC address learning is disabled by default. You can enable persistent MAC address learning in conjunction with MAC limiting to restrict the number of persistent MAC addresses. You enable this feature on interfaces.

Configure persistent MAC learning on an interface to:

  • Prevent traffic losses for trusted workstations and servers because the interface does not have to relearn the addresses from ingress traffic after a restart.
  • Protects the switch against security attacks. Use persistent MAC learning in combination with MAC limiting to protect against attacks such as Layer 2 denial of service (DoS) attacks, overflow attacks on the Ethernet switching table, and DHCP starvation attacks by limiting the MAC addresses allowed while still allowing the interface to dynamically learn a specified number of MAC addresses. The interface is secured because after the limit has been reached, additional devices cannot connect to the port.

    By enabling persistent MAC learning along with MAC limiting, you can allow interfaces to learn MAC addresses of trusted workstations and servers during the period from when you connect the interface to your network until the limit for MAC addresses is reached, and ensure that after this initial period with the limit reached, new devices will not be allowed even if the switch restarts. The alternatives to using persistent MAC learning with MAC limitingare to statically configure each MAC address on each port or to allow the port to continuously learn new MAC addresses after restarts or interface-down events. Allowing the port to continuously learn MAC addresses represents a security risk.

Note: While a switch is rebooting or an interface is coming back up, there might be a short delay before the interface can learn more MAC addresses. This delay occurs while the system re-enters previously learned persistent MAC addresses into the forwarding database for the interface.

Tip: If you move a device within your network that has a persistent MAC address entry on the switch, use the clear ethernet-switching table persistent-mac command to clear the persistent MAC address entry from the interface. If you move the device and do not clear the persistent MAC address from the original port it was learned on, then the new port will not learn the MAC address and the device will not be able to connect.

If the original port is down when you move the device, then the new port will learn the MAC address and the device can connect. However, if you do not clear the MAC address on the original port, then when the port comes back up, the system reinstalls the persistent MAC address in the forwarding table for that port. If this occurs, the address is removed from the new port and the device loses connectivity.

Consider the following configuration guidelines when configuring persistent MAC learning:

  • Interfaces must be configured in access mode (use the port-mode configuration statement).
  • You cannot enable persistent MAC learning on an interface on which 802.1x authentication is configured.
  • You cannot enable persistent MAC learning on an interface that is part of a redundant trunk group.
  • You cannot enable persistent MAC learning on an interface on which no-mac-learning is enabled.

Published: 2011-11-14