Solved: Sticky MAC

dndncr101 · ‎11-22-2010

Hello,

I have a question that I hope someone can help me with. I want to know if you configure a switchport with stick-mac and it learns a MAC address which is then written to the config. What happens if you move that learned MAC to another switch with the same vlan, will it cause a security violation?

Peter Paluch · ‎11-22-2010

Hello,

Quoting from Catalyst 3560 IOS Configuration Guide:

It is a security violation when one of these situations occurs:

The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

So, it depends on how the switches are interconnected. Usually, we use trunk ports to interconnect switches, and trunks are almost never configured with port security. Therefore, seeing a secure MAC address on a trunk port in the same VLAN will not lead to a security violation. If, however, the switches were interconnected by a port configured with port security, then the arrival of a frame with a source MAC learned on another secure port will trigger a security violation.

However, consider a different aspect of this situation: if a secure port with a sticky-learned MAC address is up then the MAC address is also stored in the MAC address table, and will not be learned on a different port. The station with the respective MAC address is locked to the secure port where its MAC address is currently learned. So, even if a station with spoofed MAC address is connected to a different (secure or unsecure) port on the same switch, it will not be added to the MAC address table.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎11-22-2010

Hello,

Quoting from Catalyst 3560 IOS Configuration Guide:

It is a security violation when one of these situations occurs:

The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

So, it depends on how the switches are interconnected. Usually, we use trunk ports to interconnect switches, and trunks are almost never configured with port security. Therefore, seeing a secure MAC address on a trunk port in the same VLAN will not lead to a security violation. If, however, the switches were interconnected by a port configured with port security, then the arrival of a frame with a source MAC learned on another secure port will trigger a security violation.

However, consider a different aspect of this situation: if a secure port with a sticky-learned MAC address is up then the MAC address is also stored in the MAC address table, and will not be learned on a different port. The station with the respective MAC address is locked to the secure port where its MAC address is currently learned. So, even if a station with spoofed MAC address is connected to a different (secure or unsecure) port on the same switch, it will not be added to the MAC address table.

Best regards,

Peter

firstgalaxycomputer · ‎11-22-2010

need help . which model is apply to below spec

Core Switch

- 24ports Layer 2/3/4

- Support 10/100/1000Base-T Ethernet port, 41/10G SFP+ ports and one Ethernet port expansion slot

- Support switching capacity of 250 Gbps and above

- Support forwarding speed of 350 Mpps and above

- IPv6 Ready , IPV6 Managemant and Routing

- Support Fully Redundant

- Complete with Backplane Stacking Module

I hope someone there can help me urgent

thanks ,