Sticky MAC Configuration and its Enhancements
Sticky MAC is a port security feature that dynamically learns MAC addresses on an interface and retains the MAC information in case the Mobility Access Switch reboots.
Sticky MAC is an alternative to the tedious and manual configuration of static MAC addresses on a port or to allow the port to continuously learn new MAC addresses after interface-down events. Allowing the port to continuously learn MAC addresses is a security risk. Sticky MAC prevents traffic losses for trusted workstations and servers because the interface does not have to relearn the addresses from ingress traffic after a restart.
Enable Sticky MAC in conjunction with MAC limit to restrict the number of MAC addresses learning.
Sticky MAC with MAC limit prevents Layer 2 denial of service (DoS) attacks, overflow attacks on the Ethernet switching table, and DHCP starvation attacks by limiting the MAC addresses allowed while still allowing the interface to dynamically learn a specified number of MAC addresses. The interface is secured because after the limit has been reached, additional devices cannot connect to the port.
By enabling Sticky MAC learning along with MAC limiting, interfaces can be allowed to learn MAC addresses of trusted workstations and servers during the period from when the interface are connected to the network until the limit for MAC addresses is reached. This ensures that after this initial period with the limit reached, new devices will not be allowed even if the Mobility Access Switch restarts.
Sticky MAC is disabled by default.
Points to Remember
- Sticky MAC is not supported on untrusted interfaces.
- Sticky MAC is not supported on HSL interfaces.
- No global configuration to enable or disable Sticky MAC address learning. The Sticky MAC feature will be enabled at interface level as part of port-security profile.
- Though the feature is enabled at the interface level, the MAC addresses are learned at the VLAN level.
- Configure on access or edge ports. However, there is no restriction for configuring Sticky MAC on trunk ports.
- Once a MAC address is learned on one interface, it will not be learned on any other interface in the same VLAN (no MAC move).
- Clear command with Sticky keyword can be used to remove Sticky MAC Addresses. All sticky MAC addresses will be removed when the VLAN is removed or the port-security profile is removed from the interface.
- Sticky MAC address can be learned on interfaces in other VLANs.
- Sticky MAC addresses, Phone MAC addresses and Dynamic addresses are considered as a part of MAC limit.
- Static addresses are not included in MAC limit.
In order to configure the Sticky MAC, please follow the below link:
Enhancements to Sticky MAC Configuration:
Starting from ArubaOS188.8.131.52, the Mobility Access Switch allows you to configure the Sticky MAC feature with an action to take when a Sticky MAC violation occurs. The allowed actions are:
- Drop—Drops any new MAC addresses trying to connect to the interface. This is the default option.
- Shutdown—Shuts down the port on which the sticky MAC violation occurs. You can also optionally set an auto-recovery time between 0-65535 seconds for the interface to recover.
Configuring Sticky MAC Action:
To enable and configure a Sticky MAC action, execute the following command:
(host) (config) #interface-profile port-security-profile <profile-name>
(host) (Port security profile "<profile-name>") #sticky-mac action [drop | shutdown autorecovery-time <1-65535>]
(host) (config) #interface-profile port-security-profile sticky
(host) (Port security profile "sticky") #sticky-mac action shutdown auto-recovery-time 10
Verifying Sticky MAC Configuration:
Execute the following command to verify the Sticky MAC configuration:
(host) #show interface-profile port-security-profile <profile-name>
The following command verifies the sample configuration:
(host) #show interface-profile port-security-profile sticky
Port security profile "sticky"
IPV6 RA Guard Action N/A
IPV6 RA Guard Auto Recovery Time N/A
MAC Limit N/A
MAC Limit Action N/A
MAC Limit Auto Recovery Time N/A
Sticky MAC Enabled
Sticky MAC Action Shutdown
Sticky MAC Auto Recovery Time 10 Seconds
Trust DHCP No
Port Loop Protect N/A
Port Loop Protect Auto Recovery Time N/A
IP Source Guard N/A
Dynamic Arp Inspection N/A
Verified and tested in 184.108.40.206 image version.