Understanding and Using Persistent MAC Learning

 

Understanding Persistent MAC Learning (Sticky MAC)

Persistent MAC learning, also known as sticky MAC, is a port security feature that enables an interface to retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online.

Persistent MAC address learning is disabled by default. You can enable persistent MAC address learning in conjunction with MAC limiting to restrict the number of persistent MAC addresses. You enable this feature on interfaces.

Configure persistent MAC learning on an interface to:

  • Prevent traffic losses for trusted workstations and servers because the interface does not have to relearn the addresses from ingress traffic after a restart.

  • Protect the switch against security attacks. Use persistent MAC learning in combination with MAC limiting to protect against attacks, such as Layer 2 denial-of-service (DoS) attacks, overflow attacks on the Ethernet switching table, and DHCP starvation attacks, by limiting the MAC addresses allowed while still allowing the interface to dynamically learn a specified number of MAC addresses. The interface is secured because after the limit has been reached, additional devices cannot connect to the port.

By configuring persistent MAC learning along with MAC limiting, you enable interfaces to learn MAC addresses of trusted workstations and servers from the time when you connect the interface to your network until the limit for MAC addresses is reached, and ensure that after this limit is reached, new devices will not be allowed to connect to the interface even if the switch restarts. As an alternative to using persistent MAC learning with MAC limiting, you can statically configure each MAC address on each port or allow the port to continuously learn new MAC addresses after restarts or interface-down events. Allowing the port to continuously learn MAC addresses represents a security risk.

Note

While a switch is restarting or an interface is coming back up, there might be a short delay before the interface can learn more MAC addresses. This delay occurs while the system re-enters previously learned persistent MAC addresses into the forwarding database for the interface.

Consider the following configuration guidelines when configuring persistent MAC learning:

  • Interfaces must be configured in access mode (use the port-mode configuration statement or, for switches operating on the Enhanced Layer 2 Software (ELS) configuration style, the interface-mode configuration statement).

  • You cannot enable persistent MAC learning on an interface on which 802.1x authentication is configured.

  • You cannot enable persistent MAC learning on an interface that is part of a redundant trunk group.

  • You cannot enable persistent MAC learning on an interface on which no-mac-learning is enabled.

Tip

If you move a device within your network that has a persistent MAC address entry on the switch, use the clear ethernet-switching table command to clear the persistent MAC address entry from the interface. If you move the device and do not clear the persistent MAC address from the original port it was learned on, then the new port will not learn the MAC address of the device and the device will not be able to connect. If the original port is down when you move the device, then the new port will learn the MAC address and the device can connect. However, if you do not clear the persistent MAC address on the original port, then when the port restarts, the system reinstalls the persistent MAC address in the forwarding table for that port. If this occurs, the persistent MAC address is removed from the new port and the device loses connectivity.

Configuring Persistent MAC Learning (ELS)

Note

This section describes using Junos OS with support for the Enhanced Layer 2 Software (ELS). For more information on ELS, see Using the Enhanced Layer 2 Software CLI

To configure persistent MAC learning on an interface and limit the number of allowed MAC addresses:

  1. Enable persistent MAC learning on an interface:
    [edit switch-options]

    user@switch# set interface interface-name persistent-learning
  2. Configure the MAC limit on an interface, and specify the action that the switch takes after the specified limit is exceeded:
    [edit switch-options]

    user@switch# set interface interface-name interface-mac-limit limit packet-action action

    After you set a new MAC limit for the interface, the system clears existing entries in the MAC address forwarding table associated with the interface.

Values for action are:

dropDrop packets with new source MAC addresses, and do not learn the new source MAC addresses.
drop-and-log(EX Series switches only) Drop packets with new source MAC addresses, and generate an alarm, an SNMP trap, or a system log entry.
log(EX Series switches only) Hold packets with new source MAC addresses, and generate an alarm, an SNMP trap, or a system log entry.
none(EX Series switches only) Forward packets with new source MAC addresses, and learn the new source MAC address.
shutdown(EX Series switches only) Disable the specified interface, and generate an alarm, an SNMP trap, or a system log entry.
Tip

If you move a device within your network that has a persistent MAC address entry on the switch, use the clear ethernet-switching table command to clear the persistent MAC address entry from the interface. If you move the device and do not clear the persistent MAC address from the original port it was learned on, then the new port will not learn the MAC address of the device and the device will not be able to connect.

If the original port is down when you move the device, then the new port will learn the MAC address and the device can connect. However, if you do not clear the persistent MAC address on the original port, then when the port restarts, the system reinstalls the persistent MAC address in the forwarding table for that port. If this occurs, the persistent MAC address is removed from the new port and the device loses connectivity.

Configuring Persistent MAC Learning (non-ELS)

Persistent MAC address learning, also known as sticky MAC, is disabled by default. You can enable it to allow dynamically learned MAC addresses to be retained on an interface across restarts of the switch.

Note

This section describes using Junos OS without support for the Enhanced Layer 2 Software (ELS). For more information on ELS, see Using the Enhanced Layer 2 Software CLI

Use persistent MAC address learning to:

  • Help prevent traffic losses for trusted workstations and servers because the interface does not have to relearn the addresses from ingress traffic after a restart.

  • Protect the switch against security attacks—use persistent MAC learning in combination with MAC limiting to protect against attacks while still avoiding the need to statically configure MAC addresses. When the initial learning of MAC addresses up to the number specified by the MAC limit is done, new addresses will not be allowed even after a reboot. The port is secured because after the limit has been reached, additional devices cannot connect to the interface.

The first devices that send traffic after you connect are learned during the initial connection period. You can monitor the MAC addresses and provide the same level of security as if you statically configured each MAC address on each interface, except with less manual effort. Persistent MAC learning also helps prevent traffic loss for trusted workstations and servers because the interface does not have to relearn the addresses from ingress traffic.

Verifying That Persistent MAC Learning Is Working Correctly

Purpose

Verify that persistent MAC learning, also known as sticky MAC, is working on the interface. Persistent MAC learning allows retention of dynamically learned MAC addresses on an interface across restarts of the switch (or if the interface goes down).

Action

Display the MAC addresses that have been learned. The following sample output shows the results when persistent MAC learning is enabled on interface ge-0/0/42:

show ethernet-switching table persistent-mac

user@switch> show ethernet-switching table

Meaning

The sample output shows that learned MAC addresses are stored in the Ethernet switching table as persistent entries. If the switch is rebooted or the interface goes down and comes back up, these addresses will be restored to the table.