Fortinet black logo

Cookbook

Persistent MAC learning

Copy Link
Copy Doc ID 9bd2f947-ece6-11ec-bb32-fa163e15d75b:161091
Download PDF

Persistent MAC learning

Persistent MAC learning or sticky MAC is a port security feature where dynamically learned MAC addresses are retained when a switch or interface comes back online. The benefits of this feature include:

  • Prevent traffic loss from trusted workstations and servers since there is no need to relearn MAC address after a restart.
  • Protect the switch and the whole network when combined with MAC-learning-limit against security attacks such as Layer 2 DoS and overflow attacks.

Persistent MAC learning is configured in FortiGate and implemented in FortiSwitch.

This feature is disabled by default. You can use persistent MAC learning together with MAC limiting to restrict the number of persistent MAC addresses.

This feature is hardware and CPU intensive and can take several minutes depending on the number of entries.

You can only use CLI to configure this feature.

Note

This feature is supported on all FortiSwitch models in FSW 6.0.

This feature is supported on models in FSW 3.6 higher than the 124D series.

To enable sticky MAC on FortiGate:

config switch-controller managed-switch

edit <switch-serial-number>

conf ports

edit <port-number>

set sticky-mac enable

next

end

next

end

Before saving sticky Mac entries into CMDB, you might want to delete the unsaved sticky MAC items so that only the items you want are saved.

Saving sticky MAC items copies the sticky MAC items from memory to CMDB on FortiSwitches and FortiGates.

To delete unsaved sticky MAC items:

execute switch-controller switch-action sticky-mac delete-unsaved <all | interface><switch-serial-number>

To save sticky MAC items into CMDB:

execute switch-controller switch-action sticky-mac save <all | interface><switch-serial-number>

Persistent MAC learning

Persistent MAC learning or sticky MAC is a port security feature where dynamically learned MAC addresses are retained when a switch or interface comes back online. The benefits of this feature include:

  • Prevent traffic loss from trusted workstations and servers since there is no need to relearn MAC address after a restart.
  • Protect the switch and the whole network when combined with MAC-learning-limit against security attacks such as Layer 2 DoS and overflow attacks.

Persistent MAC learning is configured in FortiGate and implemented in FortiSwitch.

This feature is disabled by default. You can use persistent MAC learning together with MAC limiting to restrict the number of persistent MAC addresses.

This feature is hardware and CPU intensive and can take several minutes depending on the number of entries.

You can only use CLI to configure this feature.

Note

This feature is supported on all FortiSwitch models in FSW 6.0.

This feature is supported on models in FSW 3.6 higher than the 124D series.

To enable sticky MAC on FortiGate:

config switch-controller managed-switch

edit <switch-serial-number>

conf ports

edit <port-number>

set sticky-mac enable

next

end

next

end

Before saving sticky Mac entries into CMDB, you might want to delete the unsaved sticky MAC items so that only the items you want are saved.

Saving sticky MAC items copies the sticky MAC items from memory to CMDB on FortiSwitches and FortiGates.

To delete unsaved sticky MAC items:

execute switch-controller switch-action sticky-mac delete-unsaved <all | interface><switch-serial-number>

To save sticky MAC items into CMDB:

execute switch-controller switch-action sticky-mac save <all | interface><switch-serial-number>