Sticky Port Situations – NetCraftsmen
This blog is a quick summary of some port-related tidbits I’ve run across recently.
Port Security Sticky
We recently updated a Dev lab data center with new Cisco 6509 switches, Sup720, 10 Gbps links (800+ physical servers, 1000+ Virtual Machines). Aka “the first stage Nortel-ectomy”.
Subsequently, Operations asked us to turn on port security to discourage server admins from moving Ethernet cables to other switch ports. Some of the server admins at the site clearly don’t understand that the switch ports may well not be in the same VLAN, let alone have other settings matching the server. I thought “OK, I’ve mostly seen port security used for closet switches, but that sounds like a reasonable goal. Maintenance could be a bit of work, but …”.
After some negotiation, the consensus was to use port security sticky, with a fairly high MAC number to accommodate VM flexibility on VMware ESX servers. Something like:
interface gig 1/1 switchport port-security mac-address sticky switchport port-security maximum 50
A couple of servers subsequently had problems. In most if not all cases, they were dual-homed to Cisco switches in a VSS pair.
Testing suggested the problem. When a MAC address has been learned on one port, you cannot then use that MAC on another port. So if you’re thinking that port security just controls the number and which MAC addresses can be used on a port, well, that’s half of it.
The other half is that the learned MAC addresses cannot be used on any other port. Which the Cisco reference guide doesn’t really say. Although if you think about it, that is actually an even more effective form of what we thought we intended.
The other half of the problem? (Have you figured it out? )
A few of the servers were set up for active – passive failure form of teaming. Connected to VSS switch pairs. So when active fails, the MAC shifts to the passive half of the “teamed” interface, and appears on the other switch. But since the VSS pair is logically one switch, that’s like moving a cable from one port to another. Bzzzzt! Port security event, packets dropped or port shutdown.
Conclusion: avoid “sticky” with active – passive link pairs on single or VSS switch pairs.
What Could Possibly Go Wrong?
I have also been having fun trying to think through the various ways servers or VMware (or other hypervisors’ networking components) could go awry, apropos of mis-communication while cutting over to new switches in the Production data center. That is probably a good exercise of your basic switch understanding.
Some of the servers we’re dealing with go to Nortel switch pairs that do “SMLT” — think of it as like Cisco VSS (or vice versa). They do EtherChannel (well, “teaming”) to dual chassis. The EtherChannel is currently hard-coded on. Yes, I’d prefer LACP with negotiation. A strong lesson learned is “make minimal changes, so when something doesn’t work, you have some idea that it is say re-patching that caused it, as compared to one of several things that all changed”.
In moving to a new switch, what can go wrong? Consider VMware ESX servers with 4 NIC cards. They could be:
(1) Mis-cabled so that two EtherChannel ports go to non-EtherChannel ports on a single or VSS switch (or cabled correctly but to switch ports not set up for EtherChannel)
(2) Mis-cabled or mis-configured so active-passive ports go to EtherChanneled ports on the switch
(3) Have trunking VLANs mis-matched with those allowed on switch trunk ports
(4) Have trunking where the switch is not configured for trunking
(5) The usual address / subnet / default gateway sorts of errors, also speed, duplex, and wrong access VLAN on port the server is cabled to
In cases (3) – (5), the problem is likely to show up as “can’t ping default gateway”, either for the physical chassis or for some or all VM’s on one physical chassis.
If you think about case (2), there probably isn’t a problem. Only one side is active at a time, and packets that go into most servers don’t check back out, unless someone deliberately enabled bridging on the server (rare, but has happened to one of our staff: STP loop via administrator doing server bridging! ). If bridging is enabled, the Cisco switch will see its own BPDU back on the EtherChannel, and errdisable.
The one that seems the most interesting (to me, anyway) is (1). What is the problem with it? Well, if the server end load-balances like Cisco switches do, probably none. Since frames with a given source MAC probably only use one link or the other. But what if the server does some form of alternate-link or round-robin EtherChannel, for load balancing (rather than load sharing)? You then might have a source MAC address appearing on one port, then another, on the same physical or VSS switch. If that happens, a lot, the switch is probably going to be using some CPU capacity, unless the MAC learning is hardware-based, as in the 6500.
See also “Common Causes of Slow IntraVLAN and InterVLAN Connectivity in Campus Switch Networks“, at It looks like the final answer to this one requires a lab with a packet generator that can fire off rapid frames with same source MAC alternating between two links.
What’s your answer?
Helping Operations Out
I mentioned that we’d been thrown some trouble tickets to report back on, containing only an SNMP ifIndex. It is kind of hard to figure out which interface is the problematic one without an SNMP tool. I mentioned this to our President, David Yarashus, and he came right back with the command illustrated below. I had never really explored this branch of show commands, since my first forays into it proved less than exciting. (And since the freeware GetIf software solved most of my “quick SNMP” needs, at least in the days before people started locking it down with ACLs. )
rtr1841#show snmp mib ifmib ifindexAsync0/0/0: Ifindex = 4FastEthernet0/0: Ifindex = 1FastEthernet0/0-mpls layer: Ifindex = 15Loopback0: Ifindex = 14Null0: Ifindex = 3Tunnel2: Ifindex = 12Tunnel2-mpls layer: Ifindex = 13FastEthernet0/1: Ifindex = 2FastEthernet0/1-mpls layer: Ifindex = 20Async0/0/1: Ifindex = 5Async0/0/2: Ifindex = 6Async0/0/3: Ifindex = 7Async0/0/4: Ifindex = 8Async0/0/5: Ifindex = 9Async0/0/6: Ifindex = 10Async0/0/7: Ifindex = 11FastEthernet0/0. 2-802. 1Q vLAN subif: Ifindex = 16FastEthernet0/0. 3-802. 1Q vLAN subif: Ifindex = 17FastEthernet0/0. 17-802. 1Q vLAN subif: Ifindex = 18FastEthernet0/0. 77-802. 1Q vLAN subif: Ifindex = 19rtr1841#
Sticky MAC Configuration and its Enhancements – Airheads …
Requirement:Sticky MAC is a port security feature that dynamically learns MAC addresses on an interface and retains the MAC information in case the Mobility Access Switch reboots.
Sticky MAC is an alternative to the tedious and manual configuration of static MAC addresses on a port or to allow the port to continuously learn new MAC addresses after interface-down events. Allowing the port to continuously learn MAC addresses is a security risk. Sticky MAC prevents traffic losses for trusted workstations and servers because the interface does not have to relearn the addresses from ingress traffic after a restart.
Solution:Enable Sticky MAC in conjunction with MAC limit to restrict the number of MAC addresses learning.
Sticky MAC with MAC limit prevents Layer 2 denial of service (DoS) attacks, overflow attacks on the Ethernet switching table, and DHCP starvation attacks by limiting the MAC addresses allowed while still allowing the interface to dynamically learn a specified number of MAC addresses. The interface is secured because after the limit has been reached, additional devices cannot connect to the port.
By enabling Sticky MAC learning along with MAC limiting, interfaces can be allowed to learn MAC addresses of trusted workstations and servers during the period from when the interface are connected to the network until the limit for MAC addresses is reached. This ensures that after this initial period with the limit reached, new devices will not be allowed even if the Mobility Access Switch restarts.
Sticky MAC is disabled by default.
Points to Remember
Sticky MAC is not supported on untrusted interfaces.
Sticky MAC is not supported on HSL interfaces.
No global configuration to enable or disable Sticky MAC address learning. The Sticky MAC feature will be enabled at interface level as part of port-security profile.
Though the feature is enabled at the interface level, the MAC addresses are learned at the VLAN level.
Configure on access or edge ports. However, there is no restriction for configuring Sticky MAC on trunk ports.
Once a MAC address is learned on one interface, it will not be learned on any other interface in the same VLAN (no MAC move).
Clear command with Sticky keyword can be used to remove Sticky MAC Addresses. All sticky MAC addresses will be removed when the VLAN is removed or the port-security profile is removed from the interface.
Sticky MAC address can be learned on interfaces in other VLANs.
Sticky MAC addresses, Phone MAC addresses and Dynamic addresses are considered as a part of MAC limit.
Static addresses are not included in MAC limit.
Configuration:In order to configure the Sticky MAC, please follow the below link:
Enhancements to Sticky MAC Configuration:
Starting from ArubaOS7. 4. 0. 2, the Mobility Access Switch allows you to configure the Sticky MAC feature with an action to take when a Sticky MAC violation occurs. The allowed actions are:
Drop—Drops any new MAC addresses trying to connect to the interface. This is the default option.
Shutdown—Shuts down the port on which the sticky MAC violation occurs. You can also optionally set an auto-recovery time between 0-65535 seconds for the interface to recover.
Configuring Sticky MAC Action:
To enable and configure a Sticky MAC action, execute the following command:
(host) (config) #interface-profile port-security-profile
Sample Configuration
(host) (config) #interface-profile port-security-profile sticky
(host) (Port security profile “sticky”) #sticky-mac action shutdown auto-recovery-time 10
VerificationVerifying Sticky MAC Configuration:
Execute the following command to verify the Sticky MAC configuration:
(host) #show interface-profile port-security-profile
(host) #show interface-profile port-security-profile sticky
Port security profile “sticky”
——————————
Parameter Value
——— —–
IPV6 RA Guard Action N/A
IPV6 RA Guard Auto Recovery Time N/A
MAC Limit N/A
MAC Limit Action N/A
MAC Limit Auto Recovery Time N/A
Sticky MAC Enabled
Sticky MAC Action Shutdown
Sticky MAC Auto Recovery Time 10 Seconds
Trust DHCP No
Port Loop Protect N/A
Port Loop Protect Auto Recovery Time N/A
IP Source Guard N/A
Dynamic Arp Inspection N/A
Verified and tested in 7. 2 image version.
Cisco CCNA – Port Security and Configuration
Switch port security limits the number of valid MAC addresses allowed on a port. When a MAC address, or a group of MAC addresses are configured to enable switch port security, the switch will forward packets only to the devices using those MAC addresses. Any packet coming from other device is discarded by the switch as soon as it arrives on the switch port.
If you limit the number of allowed MAC addresses allowed on a port to only one MAC address, only one device will be able to connect to that port and will get the full bandwidth of the port.
If the maximum number of secure MAC addresses has been reached, a security violation occurs when a devices with a different MAC addresses tries to attach to that port. In most of today’s scenarios when the switch detects a security violation, the switch automatically shuts down that port. A switch can be configured to only protect or restrict that port. We will discuss theses security violation modes a little bit later.
Secure MAC addresses are of three types:
Static secure MAC addresses – configured manually with switchport port-security mac-address mac-address. These MAC addresses are stored in the address table and in the running configuration of the switch.
Dynamic secure MAC addresses – are dynamically learned by the switch and stored in its MAC address table. They are removed from the configuration when the switch restarts.
Sticky secure MAC addresses – like Dynamic secure MAC addresses, MACs are learned dynamically but are saved in the running configuration.
Sticky secure MAC addresses have these characteristics:
Are learned dynamically then converted to sticky secure MAC addresses and stored in the running configuration.
When you disable the sticky learning, the learned addresses remain part of the MAC address table but are removed from the configuration.
When you disable port security, the sticky secure MAC addresses remain in the running configuration.
If you save the addresses in the configuration file, when a restarts or the interface shuts down, the switch does not need to relearn the addresses.
In a Cisco switch, you are able to configuration three types of security violation modes. A security violation occurs when the maximum number of MAC addresses has been reached and a new device, whose MAC address is not in the address table attempts to connect to the interface or when a learned MAC address on an interface is seen on another secure interface in the same VLAN.
Depending on the action you want a switch to take when a security violation occurs, you can configure the behavior of a switch port to one of the following:
protect – when the maximum number of secure MAC addresses has been reached, packets from devices with unknown source addresses are dropped until you remove the necessary number of secure MAC addresses from the table. In this mode, you are not notified when a security violation occurs.
restrict – is identical with protect mode, but notifies you when a security violation occurs. Specifically, a SNMP trap is sent, a syslog message is logged and the violation counter increments.
shutdown – this is the default behavior on a switch. In this mode, the switch ports shuts down when the violation occurs. Also, a SNMP trap is sent and the message is logged. You can enable the port again with the no shutdown interface configuration command.
The default configuration of a Cisco switch has port security disabled. If you enable switch port security, the default behavior is to allow only 1 MAC address, shutdown the port in case of security violation and sticky address learning is disabled.
Next, we will enable dynamic port security on a (config)#interface FastEthernet 0/1Switch(config-if)#switchport mode accessSwitch(config-if)#switchport port-security
As you can see, we did not specify an action to be taken if a security violation occurs, neither how many MAC addresses are allowed on the port. Recalling from above, the default behavior is to shutdown the port and allow only one MAC ’s now configure a sticky port security, to allow 10 MAC addresses on the interface. If a violation occurs, you want the port to be configured in restrict mode.
Switch(config)#interface FastEthernet 0/1Switch(config-if)#switchport mode accessSwitch(config-if)#switchport port-securitySwitch(config)if)#switchport port-security maximum 10Switch(config-if)#switchport port-security mac-address stickySwitch(config-if)#switchport port-security violation restrict
Good. After you have configured port security in the desired mode on a switch, it’s time to verify the configuration and the learned MAC addresses with the show port-security interface interface-id and with show port-security port-security interface FastEthernet 0/1Port Security: EnabledPort Status: Secure-downViolation Mode: ShutdownAging Time: 0 minsAging Type: AbsoluteSecureStatic Address Aging: DisabledMaximum MAC Addresses: 1Total MAC Addresses: 1Configured MAC Addresses: 0Sticky MAC Addresses: 0Last Source Address:Vlan: 0000. 0000. 0000:0Security Violation Count: 0
Switch#show port-security address Secure Mac Address Table
——————————————————————-Vlan Mac Address Type Ports Remaining Age(mins)—- ———– —- —– ————-11 A6. 0001 SecureDynamic Fa0/1 –
——————————————————————-
Total Addresses in System: 0
Max Addresses limit in System: 8320Now, you may wonder what to do with an unused interface. Securing an unused interface is important too and it’s much simpler. The only thing you have to do is to put all unused interfaces in shutdown state with the shutdown interface configuration command.
Switch(config)#interface FastEthernet 0/2Switch(config-if)#shutdown
In this CCNA certification topic we have covered Switch Port Security. Knowing what switch port security is and how to implement it is important. Not only you may encounter questions about this topic when you take the Cisco CCNA certification exam, but you will see switches configured with port security in almost all real-life environments. Companies and service providers are using port security to prevent attacks and unauthorized access to their networks. We hope you found this article helpful in your preparation for the CCNA exam, as well as for your day to day activities.
Frequently Asked Questions about sticky ports
What is a sticky port?
Sticky MAC is a port security feature that dynamically learns MAC addresses on an interface and retains the MAC information in case the Mobility Access Switch reboots.May 28, 2015
What is difference of static dynamic and sticky port security?
Static secure MAC addresses – configured manually with switchport port-security mac-address mac-address. … Sticky secure MAC addresses – like Dynamic secure MAC addresses, MACs are learned dynamically but are saved in the running configuration.
What is dynamic port security?
Port security defaults use dynamically learned MACs or “sticky” MAC addresses which are always only stored in the running config unless the “static” is entered instead or the running config is saved to the startup config once the MAC is learned.Feb 16, 2020