Configuring the Sticky MAC Address Function

Context

After port security is enabled, the switch converts MAC addresses learned by an interface into secure MAC addresses, and stops learning new MAC addresses after the maximum number of learned MAC addresses is reached. In this case, the switch can only communicate with devices with learned MAC addresses. If a network has unstable access users, you can restart the switch or configure the aging time of secure MAC addresses to update MAC address entries. If a network has stable access users, you can enable the sticky MAC address function on an interface, so that MAC address entries of these users will not be updated or deleted.

An interface that has the sticky MAC address function enabled takes the same protection actions as an interface that has port security enabled. For details, see the following table.

**Table 1** Port security actions
Action	Description
restrict	Discards packets with a nonexistent source MAC address and generates a trap. This action is recommended.
protect	Discards packets with a nonexistent source MAC address but does not generate a trap.
shutdown	Sets the interface state to error-down and generates a trap. By default, an interface in error-down state can only be restored using the restart command in the interface view. To enable an interface in error-down state to automatically go Up after a period of time, run the error-down auto-recovery cause port-security interval interval-value command in the system view. In this command, interval-value specifies the period of time after which an interface can automatically go Up.

The sticky MAC address function usually applies to networks where terminal users seldom change.

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number
The interface view is displayed.
Run port-security enable
Port security is enabled.

By default, port security is disabled on an interface.
Run port-security mac-address sticky
The sticky MAC address function is enabled on the interface.

By default, the sticky MAC address function is disabled on an interface.
Run port-security max-mac-num max-number
The maximum number of sticky MAC addresses is set.

By default, an interface enabled with the sticky MAC address function can learn only one sticky MAC address.
- If a PC connects to the switch using an IP phone, set the maximum number of secure MAC addresses to 3. This is because the IP phone occupies two MAC address entries and the PC occupies one MAC address entry. The VLAN IDs in the two MAC address entries used by the IP phone are different. The two VLANs are used to separately transmit voice and data packets.
- When multiple NAC users are online under one interface, if you want to enable port security function on the interface, you need to first run the port-security max-mac-num command to set the maximum number of MAC addresses learned by the interface, and then run the port-security enable command. Otherwise, only one user is reserved and other users are logged out.
(Optional) Run port-security protect-action { protect | restrict | shutdown }
A port security action is configured.

By default, the restrict action is used.
(Optional) Run port-security mac-address sticky mac-address vlan vlan-id
A sticky MAC address entry is configured.
After the sticky MAC address function is enabled on an interface:
- Existing dynamic secure MAC address entries are changed into sticky MAC address entries. MAC address entries learned subsequently are sticky MAC address entries.
- Sticky MAC address entries are not aged even if the port-security aging-time command is configured.
- The configuration information is not displayed after you run the port-security mac-address sticky mac-address vlan vlan-id command to configure sticky MAC address entries.
- Manually configured and auto-generated sticky MAC address entries are automatically saved in a .ztbl or .ctbl file every 10 minutes. Alternatively, you can run the save command to manually save them. The saved file is not discarded after the device restarts. The file name must be the same as that of the system configuration file. For example, if the name of the system configuration file is test.cfg, the name of the sticky MAC address entry file must be test.ctbl. Otherwise, sticky MAC address entries will fail to be restored after the device restarts.

Verifying the Configuration

Run the display mac-address sticky [ vlan vlan-id | interface-type interface-number ] ^* [ verbose ] command to check sticky MAC address entries.
To view trap information, run the display trapbuffer command or log in to the NMS.