cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2672
Views
0
Helpful
2
Replies

Sticky MAC

dndncr101
Level 1
Level 1

Hello,

I have a question that I hope someone can help me with.  I want to know if you configure a switchport with stick-mac and it learns a MAC address which is then written to the config.  What happens if you move that learned MAC to another switch with the same vlan, will it cause a security violation?

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

Quoting from Catalyst 3560 IOS Configuration Guide:

It is a security violation when one of these situations occurs:

  • The  maximum number of secure MAC addresses have been added to the address  table, and a station whose MAC address is not in the address table  attempts to access the interface.

  • An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

So, it depends on how the switches are interconnected. Usually, we use trunk ports to interconnect switches, and trunks are almost never configured with port security. Therefore, seeing a secure MAC address on a trunk port in the same VLAN will not lead to a security violation. If, however, the switches were interconnected by a port configured with port security, then the arrival of a frame with a source MAC learned on another secure port will trigger a security violation.

However, consider a different aspect of this situation: if a secure port with a sticky-learned MAC address is up then the MAC address is also stored in the MAC address table, and will not be learned on a different port. The station with the respective MAC address is locked to the secure port where its MAC address is currently learned. So, even if a station with spoofed MAC address is connected to a different (secure or unsecure) port on the same switch, it will not be added to the MAC address table.

Best regards,

Peter

View solution in original post

2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

Quoting from Catalyst 3560 IOS Configuration Guide:

It is a security violation when one of these situations occurs:

  • The  maximum number of secure MAC addresses have been added to the address  table, and a station whose MAC address is not in the address table  attempts to access the interface.

  • An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

So, it depends on how the switches are interconnected. Usually, we use trunk ports to interconnect switches, and trunks are almost never configured with port security. Therefore, seeing a secure MAC address on a trunk port in the same VLAN will not lead to a security violation. If, however, the switches were interconnected by a port configured with port security, then the arrival of a frame with a source MAC learned on another secure port will trigger a security violation.

However, consider a different aspect of this situation: if a secure port with a sticky-learned MAC address is up then the MAC address is also stored in the MAC address table, and will not be learned on a different port. The station with the respective MAC address is locked to the secure port where its MAC address is currently learned. So, even if a station with spoofed MAC address is connected to a different (secure or unsecure) port on the same switch, it will not be added to the MAC address table.

Best regards,

Peter

need help . which model is apply to below spec

Core Switch

-       24ports Layer 2/3/4

-       Support 10/100/1000Base-T Ethernet port, 41/10G SFP+ ports and one Ethernet port expansion slot

-       Support switching capacity of 250 Gbps and above

-       Support forwarding speed of 350 Mpps and above

-       IPv6 Ready , IPV6 Managemant and Routing

-       Support Fully Redundant

-       Complete with Backplane Stacking Module      

I hope someone there can help me urgent

thanks ,