Fortinet black logo

Cookbook

MAC layer control - Sticky MAC and MAC Learning-limit

Copy Link
Copy Doc ID 664e9f16-22ad-11eb-96b9-00505692583a:472501
Download PDF

MAC layer control - Sticky MAC and MAC Learning-limit

Persistent MAC learning, or Sticky MAC, is a port security feature that lets an interface retain dynamically learned MAC addresses when a switch is restarted, or an interface goes down and then is brought back online.

Enabling Sticky MAC along with MAC Learning-limit restricts the number of MAC addresses that are learned. This prevents layer 2 Denial of Service (DoS) attacks, overflow attacks on the Ethernet switching table, and DHCP starvation attacks by limiting the number of MAC addresses that are allowed while still allowing the interface to learn a specified number of MAC addresses. The interface is secured because, after the specified limit has been reached, additional devices cannot connect to the port. Interfaces can be allowed to learn the MAC address of trusted workstations and servers from the time that the interfaces are connected to the network, until the MAC address limit is reached.

Prerequisites
  • Sticky MAC save is hardware and CPU intensive if there are too many entries.
  • Dual chip device models (X48 and XX48 FortiSwitch models) do not support MAC Learning-limit on VLANs, but still support it on FortiSwitch ports.

Enable Sticky MAC on the FortiSwitch ports view:
config switch-controller managed-switch 
    edit S248EPTF18001384 
        config ports 
            edit port6
                set sticky-mac enable 
            next
        end
    next
end

Check the MAC-table on the FortiSwitch to see that the status of related MAC items on the Sticky MAC enabled ports has changed from dynamic to static:

Before Sticky-MAC is enabled:

diagnose switch mac-address list

MAC: 08:5b:0e:06:6a:d4 VLAN: 1 Port: port1(port-id 1) Flags: 0x00030440 [ hit dynamic src-hit native move ]

After Sticky-MAC is enabled:

diagnose switch mac-address list

MAC: 00:0c:29:d4:4f:3c VLAN: 1 Port: port6(port-id 6) Flags: 0x00000020 [ static ]

Save Sticky-MAC items into the database and delete others:

Saving Sticky-MAC items from the running memory into the database, and deleting unsaved items, will ensure that, even after the FortiSwitch is rebooted, the trusted MAC addresses will be kept and will not need to be relearned.

execute switch-controller switch-action sticky-mac save all S248EPTF1800XXXX

S248EPTF1800XXXX: Save started...

Warning: Please wait save will take longer time upto 30 seconds...

Collecting config data....Done

Collecting hardware data....Done

Saving....Done

Sticky MAC entries saved = 1 ----------------> Number of saved Sticky MAC items is shown

execute switch-controller switch-action sticky-mac delete-unsaved all S248EPTF1800XXXX

Configure the MAC Learning-limit under the VLAN or managed FortiSwitch ports view:

VLAN view:

config system  interface 
    edit vsw.aggr1 
        set switch-controller-learning-limit 10
    next
end

Ports view:

config switch-controller managed-switch 
    edit S248EPTF1800XXXX 
        config ports 
            edit port6
                set learning-limit  11
            next
        end
    next
end

MAC layer control - Sticky MAC and MAC Learning-limit

Persistent MAC learning, or Sticky MAC, is a port security feature that lets an interface retain dynamically learned MAC addresses when a switch is restarted, or an interface goes down and then is brought back online.

Enabling Sticky MAC along with MAC Learning-limit restricts the number of MAC addresses that are learned. This prevents layer 2 Denial of Service (DoS) attacks, overflow attacks on the Ethernet switching table, and DHCP starvation attacks by limiting the number of MAC addresses that are allowed while still allowing the interface to learn a specified number of MAC addresses. The interface is secured because, after the specified limit has been reached, additional devices cannot connect to the port. Interfaces can be allowed to learn the MAC address of trusted workstations and servers from the time that the interfaces are connected to the network, until the MAC address limit is reached.

Prerequisites
  • Sticky MAC save is hardware and CPU intensive if there are too many entries.
  • Dual chip device models (X48 and XX48 FortiSwitch models) do not support MAC Learning-limit on VLANs, but still support it on FortiSwitch ports.

Enable Sticky MAC on the FortiSwitch ports view:
config switch-controller managed-switch 
    edit S248EPTF18001384 
        config ports 
            edit port6
                set sticky-mac enable 
            next
        end
    next
end

Check the MAC-table on the FortiSwitch to see that the status of related MAC items on the Sticky MAC enabled ports has changed from dynamic to static:

Before Sticky-MAC is enabled:

diagnose switch mac-address list

MAC: 08:5b:0e:06:6a:d4 VLAN: 1 Port: port1(port-id 1) Flags: 0x00030440 [ hit dynamic src-hit native move ]

After Sticky-MAC is enabled:

diagnose switch mac-address list

MAC: 00:0c:29:d4:4f:3c VLAN: 1 Port: port6(port-id 6) Flags: 0x00000020 [ static ]

Save Sticky-MAC items into the database and delete others:

Saving Sticky-MAC items from the running memory into the database, and deleting unsaved items, will ensure that, even after the FortiSwitch is rebooted, the trusted MAC addresses will be kept and will not need to be relearned.

execute switch-controller switch-action sticky-mac save all S248EPTF1800XXXX

S248EPTF1800XXXX: Save started...

Warning: Please wait save will take longer time upto 30 seconds...

Collecting config data....Done

Collecting hardware data....Done

Saving....Done

Sticky MAC entries saved = 1 ----------------> Number of saved Sticky MAC items is shown

execute switch-controller switch-action sticky-mac delete-unsaved all S248EPTF1800XXXX

Configure the MAC Learning-limit under the VLAN or managed FortiSwitch ports view:

VLAN view:

config system  interface 
    edit vsw.aggr1 
        set switch-controller-learning-limit 10
    next
end

Ports view:

config switch-controller managed-switch 
    edit S248EPTF1800XXXX 
        config ports 
            edit port6
                set learning-limit  11
            next
        end
    next
end