1. Documentation
  3. Wired Switching
  5. Persistent (Sticky) MAC Learning

Persistent (Sticky) MAC Learning

Modified on

Overview

Persistent (Sticky) MAC is a Layer 2 port security feature that prevents unauthorized devices from connecting to your network. When this feature is enabled, the switch will observe the incoming source MAC addresses on a configured port and dynamically learn/save this address to memory. You can set the maximum number of MAC addresses learned. After the maximum limit is reached, any device attempting to connect to the port will have their frames dropped and logged.

For more details, please refer to this page: https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/understanding_and_using_persistent_mac_learning.html

 

UI Configuration

This feature can be enabled from the Mist Dashboard for ease and simplicity using Port Profiles from the Switch, Network and Organization tabs. This feature is intended for static wired clients. Please do not enable this feature for Mist Access Point interfaces.

Please see below for an example configuration:

1. Navigate to Switch/Network/Organization —> Port Profiles —> Add Profile

2. Note: Persistent MAC learning cannot be enabled on a Trunk port, or on a port with 802.1X authentication enabled. When Persistent MAC is enabled, the option to change port mode and to enable 802.1x authentication will be unavailable. This is to prevent a commit failure, as this combination is not allowed on JunOS.

3. The MAC Limit field is the maximum amount of dynamically learned MAC address. In the example, we will use a value of 1.
Note: The default value for the MAC Limit field is 0. Only numeric values from the range 0-16383 is allowed. If a value not in this range is entered, the UI will respond with an error immediately and prevent saving the configuration.

4. On the bottom, check Persistent (Sticky) MAC Learning box to enable the feature.

 

5. Map the interface from either the Port Configuration section, or by selecting ports from the Front panel display.

6. The chosen interface will now dynamically learn MAC addresses, by hovering your mouse over this interface, you can see the current MAC limit and the number of MACs learned after a few minutes.

7. The MAC Count field indicates how many MACs have been dynamically learned on the interface
This is a persistent value that will remain unless the MAC address is cleared, or if the Persistent MAC feature is disabled.

 

Clearing Dynamically Learned MAC Addresses

To clear the MAC addresses learned on an interface, select the interface on the front panel. Only user roles Network Administrator and Super User will be able to clear the MAC. Select the Clear MAC [Dynamic/Persistent] button. A message will be displayed indicating which interfaces are being cleared. Due note that if the device is still connected on the interface, its MAC address will be dynamically learned after a few minutes.

 

CLI Reference:

This is the same as using the following command from the CLI:

“clear ethernet-switching table persistent-learning interface ge-0/0/2”

 

Event: MAC Limit Reset

Under Switch Insights, the “MAC Limit Reset“ event will be displayed to confirm that the MAC address was cleared successfully.

 

UI Response: Unauthorized Device

If the maximum number of MACs have already been learned, then the frames are dropped and logged for any additional MACs. You will see a warning on the switch page and a corresponding event on the Insights dashboard when the MAC limit is exceeded.

Events: MAC Limit Exceeded

Under Switch Insights, the “MAC Limit Exceeded” event will be generated as long as the unauthorized device is connected, and it exceeds the configured MAC limit.

 

Switch Tab and Front Panel: Sticky MAC error

In the Switch Tab, an error message will be displayed on the top of the page. The affected interface will be colored orange. Clicking on the error will redirect the user to the affected interface. This error can be removed by disconnecting the unauthorized device or by clearing the learned MAC address. Do note that if the MAC addresses are cleared, the interface will dynamically learn the MAC address of the currently connected device.

 

Troubleshooting/Limitations

This feature is intended for Static Wired Clients. Please do not enable this feature for Mist Access Point interfaces.

The UI is not able to show which MAC address are currently learned on an interface, only the maximum amount. To see what MAC addresses have been learned, please use Utilities–>Shell and input similar commands for all interfaces or for a specific one:

show ethernet-switching table peristant-learning
show ethernet-switching table peristant-learning interface [Interface]

 

It is not possible to select what action the switch takes when the MAC limit is exceeded. The only option at this time is drop-and-log.

It is not possible to configure MAC limiting per VLAN from the UI.

MAC Move limit is not supported.