Technical Tip: Persistent MAC learning or sticky MAC feature
Description
This article provides the details of the persistent MAC learning or sticky MAC feature which is a port security feature.
Solution
The Persistent MAC learning is a port security feature where dynamically learned MAC addresses are retained when a switch or interface comes back online.
Note.
The FortiGate and FortiSwitch firmware versions should be compatible.
Below are benefits of this feature :
-Prevent traffic loss from trusted workstations and servers since there is no need to relearn MAC address after a restart.
-Protect the FortiSwitch and the whole network when combined with MAC-learning-limit against security attacks such as Layer 2 DoS and overflow attacks.
Persistent MAC learning is configured in FortiGate and implemented in FortiSwitch.
It is disabled by default.
It can be used to persistent MAC learning together with MAC limiting to restrict the number of persistent MAC addresses.
This feature is hardware and CPU intensive and can take several minutes depending on the number of entries.
To enable sticky MAC on FortiGate run the below commands.
Saving sticky MAC items copies the sticky MAC items from memory to CMDB on FortiSwitches and FortiGates.
To delete unsaved sticky MAC items.
This article provides the details of the persistent MAC learning or sticky MAC feature which is a port security feature.
Solution
The Persistent MAC learning is a port security feature where dynamically learned MAC addresses are retained when a switch or interface comes back online.
Note.
The FortiGate and FortiSwitch firmware versions should be compatible.
Below are benefits of this feature :
-Prevent traffic loss from trusted workstations and servers since there is no need to relearn MAC address after a restart.
-Protect the FortiSwitch and the whole network when combined with MAC-learning-limit against security attacks such as Layer 2 DoS and overflow attacks.
Persistent MAC learning is configured in FortiGate and implemented in FortiSwitch.
It is disabled by default.
It can be used to persistent MAC learning together with MAC limiting to restrict the number of persistent MAC addresses.
This feature is hardware and CPU intensive and can take several minutes depending on the number of entries.
To enable sticky MAC on FortiGate run the below commands.
# config switch-controller managed-switchNote before saving sticky Mac entries into CMDB, it can be required to delete the other unsaved sticky MAC items.
edit <switch-serial-number>
# conf ports
edit <port-number>
set sticky-mac enable
next
end
next
end
Saving sticky MAC items copies the sticky MAC items from memory to CMDB on FortiSwitches and FortiGates.
To delete unsaved sticky MAC items.
# execute switch-controller switch-action sticky-mac delete-unsavedTo save sticky MAC items into CMDB.
<all | interface><switch-serial-number>
# execute switch-controller switch-action sticky-mac save
<all | interface><switch-serial-number>