Supported Platforms
Configuring Persistent MAC Learning (CLI Procedure)
You can configure persistent MAC learning, also known as sticky MAC, to allow dynamically learned MAC addresses to be retained on an interface across restarts of the switch.
Persistent MAC address learning is disabled by default. You can enable it to:
- Help prevent traffic losses for trusted workstations and servers because the interface does not have to relearn the addresses from ingress traffic after a restart.
- Protect the switch against security attacks—use persistent MAC learning in combination with MAC limiting to protect against attacks while still avoiding the need to statically configure MAC addresses. When the initial learning of MAC addresses up to the number specified by the MAC limit is done, new addresses will not be allowed even after a reboot. The port is secured because after the limit has been reached, additional devices cannot connect to the interface.
The first devices that send traffic after you connect are learned during the initial connection period. You can monitor the MAC addresses and provide the same level of security as if you statically configured each MAC address on each interface, except with less manual effort. Persistent MAC learning also helps prevent traffic loss for trusted workstations and servers because the interface does not have to relearn the addresses from ingress traffic.
To configure persistent MAC learning on an interface and limit the number of allowed MAC addresses:
- Enable persistent MAC learning on an interface:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 persistent-learning - Limit the number of dynamic MAC addresses. You can do
one of:
- Allow the switch to take the default action (which is drop) regarding packets received on the interface after the limit is reached.
- Configure an action for the switch to take regarding packets
received on the interface after the limit is reached. You can configure
any one of the following actions--you can also explicitly configure drop:
- log—Allow the packets but log a message.
- none—Take no action.
- shutdown—Shut down the interface.
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 mac-limit (Access Port Security) 5
 | Tip: If you move a device within your network that has a persistent MAC address entry on the switch, use the clear ethernet-switching table persistent-mac command to clear the persistent MAC-address entry. If you move the device to another port on the switch and do not clear the persistent MAC address from the original port it was learned on, then the new port will not learn the MAC address and the device will not be able to connect. If the original port is down when you move the device, then the new port will learn the MAC address and the device can connect—however, unless you cleared the MAC address on the original port, when that port comes back up, the system reinstalls the persistent MAC address in the forwarding table for that port. If this occurs, the address is removed from the new port and the device loses connectivity. |
