Sticky MAC with MAC limit prevents Layer 2 attacks like DoS attacks, Ethernet switching table overflow attacks, and DHCP starvation attacks by limiting the MAC addresses allowed while still allowing the interface to dynamically learn a specified number of MAC addresses. once the limit has been reached, additional devices cannot connect to the port.
Sticky MAC is a port security feature that dynamically learns MAC addresses on an interface and retains the MAC information in case the Mobility Access Switch reboots. The MAC limit feature restricts the maximum number of MACs that can be learnt on the interface. When the MAC limit is enabled, it provides support to log the excess MACs or drop the new MAC learning requests or shuts down the port.
By enabling Sticky MAC learning along with MAC limiting, interfaces can be allowed to learn MAC addresses of trusted workstations and servers during the period from when the interface are connected to the network until the limit for MAC addresses is reached.
Sticky MAC is disabled by default and its not supported on untrusted interfaces, Also once a MAC address is learned on one interface, it will not be learned on any other interface in the same VLAN.
Sticky MAC is new feature included in AOS version 7.3.0.0 Any version below 7.3.0.0 does not have this feature.
Environment: All the sample outputs in this article are from Aruba S2500 Mobility Access Switch running AOS version 7.3.0.0.
Use the following command to configure the MAC Limit :
(host)(config)# interface-profile port-security-profile <profile-name>
mac-limit <limit> action {drop|log|shutdown}
auto-recovery-time <time in seconds>
The following example shows how to enable the MAC Limit functionality:
(S2500-24P) (config)# interface-profile port-security-profile PS1
(ArubaS2500-24P) (Port security profile "PS1") # mac-limit 30 action drop
(ArubaS2500-24P) (Port security profile "PS1") # auto-recovery-time 50
Command for enabling/disabling Sticky-MAC in a port-security profile:-
(S2500-24P) (config) #interface-profile port-security-profile PS1
(ArubaS2500-24P) (Port security profile "PS1") #sticky-mac
(ArubaS2500-24P) (Port security profile "PS1") #no sticky-mac
Command for verifying Sticky MAC :-
To display the MAC addresses learnt on a Mobility Access Switch
(ArubaS2500-24P) #show mac-address-table sticky
Total MAC address: 6
MAC Address Table
-----------------
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- ----------------
02:9b:2b:88:b7:9f Sticky 0050 GE0/0/10
02:c7:a4:88:b7:9f Sticky 0050 GE0/0/10
d8:c7:c8:c0:42:8a Sticky 0050 GE0/0/22
00:11:22:33:44:55 Sticky 0086 GE0/0/20
TO display the MAC addresses learnt on a VLAN
(ArubaS2500-24P) #show mac-address-table vlan 086 sticky
Total MAC address: 1
MAC Address Table
-----------------
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- ----------------
00:11:22:33:44:55 Sticky 0086 GE0/0/20
To display the MAC addresses learnt on an interface
(ArubaS2500-24P) #show mac-address-table interface gigabitethernet 0/0/22 sticky
Total MAC address: 1
MAC Address Table
-----------------
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- ----------------
d8:c7:c8:c0:42:8a Sticky 0050 GE0/0/22
Command for Clearing Sticky MAC Addresses :-
Execute the following command to remove the Sticky MAC addresses on a Mobility Access Switch:
(host) clear mac-address-table sticky
Execute the following command to remove the Sticky MAC addresses on a VLAN:
(host) clear mac-address-table vlan <id> sticky
Execute the following command to remove the Sticky MAC addresses on an interface:
(host) clear mac-address-table interface <interface-name> sticky
Execute the following command to remove a specific Sticky MAC address on a VLAN:
(host) clear mac-address-table vlan <id> mac <mac-address> sticky
Execute the following command to remove a specific Sticky MAC address on an interface:
(host) clear mac-address-table interface <interface-name> mac <mac address> sticky
Execute the following command to remove a specific Sticky MAC address on a VLAN port:
(host) clear mac-address-table vlan <id> interface <interface name> sticky