The port-security mac-address sticky enables the sticky MAC function on an interface.
The undo port-security mac-address sticky disables the sticky MAC function on an interface.
By default, the sticky MAC function is disabled on an interface.
port-security mac-address sticky [ mac-address vlan vlan-id ]
undo port-security mac-address sticky [ mac-address vlan vlan-id ]
Parameter |
Description |
Value |
|---|---|---|
mac-address |
Specifies the MAC address in a sticky MAC address entry. NOTE:
This parameter is not supported in the port group view. |
The value is in H-H-H format. H is a hexadecimal number of 1 to 4 digits. A MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address. |
vlan vlan-id |
Specifies the ID of a VLAN. NOTE:
This parameter is not supported in the port group view. |
The value is an integer that ranges from 1 to 4094. |
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view
Usage Scenario
After port security is enabled on an interface, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries.
After the sticky MAC function is enabled on an interface, the dynamic MAC addresses learned by the interface change to sticky MAC addresses. If the number of sticky MAC addresses does not reach the limit, the MAC addresses learned subsequently change to sticky MAC addresses. When the number of sticky MAC addresses reaches the limit, packets whose source MAC addresses do not match sticky MAC address entries are discarded. In addition, the system determines whether to send a trap message or shut down the interface according to the configured security protection action.
After enabling the sticky MAC function on an interface, you can run the port-security mac-address sticky mac-address vlan vlan-id command to manually configure a sticky MAC address entry.
The sticky MAC function has the following functions:
Prevent non-employees from using their own computers to access the company intranet without the permission of the network administrator.
Prevent employees from moving network devices or computers of the company without the permission of the network administrator.
Prerequisites
Port security has been enabled by using the port-security enable command on the interface.
Precautions
Running the undo port-security mac-address sticky command will convert the sticky MAC addresses on the interface into secure dynamic MAC addresses.
The configuration information is not displayed after you run the port-security mac-address sticky mac-address vlan vlan-id command to configure sticky MAC address entries.
Manually configured and auto-generated sticky MAC address entries are automatically saved in a .ztbl or .ctbl file every 10 minutes. Alternatively, you can run the save command to manually save them. The saved file is not discarded after the device restarts. The file name must be the same as that of the system configuration file. For example, if the name of the system configuration file is test.cfg, the name of the sticky MAC address entry file must be test.ctbl. Otherwise, sticky MAC address entries will fail to be restored after the device restarts.
If you run the port-security mac-address sticky mac-address vlan vlan-id command multiple times, multiple sticky MAC address entries are configured.
Sticky MAC cannot be the virtual MAC address of the Virtual Router Redundancy Protocol (VRRP).