Persistent (Sticky) MAC Learning

Overview

Persistent (Sticky) MAC is a Layer 2 port security feature that prevents unauthorized devices from connecting to your network. When this feature is enabled, the switch will observe the incoming source MAC addresses on a configured port and dynamically learn and save this address to memory. The maximum of MAC address learned is specified by an administrator via MAC limiting. If another device that connects to this port would reach the configured MAC limit, the frames will be dropped and logged.

For more details, please refer to: https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/understanding_and_using_persistent_mac_learning.html

 

UI Configuration

This feature can be enabled from the Mist Dashboard for ease and simplicity using Port Profiles from the Switch, Network and Organization tabs. This feature is intended for static wired clients. Please do not enable this feature for Mist Access Point interfaces.

Please see below for an example configuration:

.   

  1. Navigate to Switch/Network/Organization —> Port Profiles —> Add Profile

  2. Note: Persistent MAC learning cannot be enabled on a Trunk port, or on a port with 802.1X authentication enabled. When Persistent MAC is enabled, the option to change port mode and to enable 802.1x authentication will be unavailable. This is to prevent a commit failure, as this combination is not allowed on JunOS.

  3. The MAC Limit field is the maximum amount of dynamically learned MAC address. In the example, we will use a value of 1.
    Note: The default value for the MAC Limit field is 0, which is no MAC limit. Only numeric values from the range 0-16383 is allowed. If a value not in this range is entered, the UI will respond with an error immediately and prevent saving the configuration.

  4. On the bottom, check Persistent (Sticky) MAC Learning box to enable the feature.

  5. Map the interface from either the Port Configuration section, or by selecting ports from the Front panel display.

  6. The chosen interface will now dynamically learn MAC addresses, by hovering your mouse over this interface, you can see the current MAC limit and the number of MACs learned after a few minutes.

  7. The MAC Count field indicates how many MACs have been dynamically learned on the interface
    This is a persistent value that will remain unless the MAC address is cleared, or if the Persistent MAC feature is disabled.

 

CLI Reference:

This is the same as using the following commands from the CLI:

"set switch-options interface ge-0/0/2 interface-mac-limit 1",

"set switch-options interface ge-0/0/2 interface-mac-limit packet-action drop-and-log",

"set switch-options interface ge-0/0/2 persistent-learning",

Clearing Dynamically Learned MAC Addresses

To clear the MAC addresses learned on an interface, select the interface on the front panel. Only user roles Network Administrator and Super User will be able to clear the MAC. Select the Clear MAC [Dynamic/Persistent] button. A message will be displayed indicating which interfaces are being cleared. Due note that if the device is still connected on the interface, its MAC address will be dynamically learned after a few minutes.

 

CLI Reference:

This is the same as using the following command from the CLI:

“clear ethernet-switching table persistent-learning interface ge-0/0/2”

Event: MAC Limit Reset

Under Switch Insights, the “MAC Limit Reset“ event will be displayed to confirm that the MAC address was cleared successfully.

 

API Configuration

This feature can be enabled from the Switch, Network, and Organization tabs via API under. For more details, please visit Mist API Documentation: https://api.mist.com/api/v1/docs/Home

 

API Calls:

Switch:

/api/v1/sites/:site_id/stats/devices/device:id

Network:

/api/v1/sites/:site_id/setting

Org:

/api/v1/sites/:site_id/setting

 

Fields:

 

Name

Type

Description

persist_mac

bool

if mode=access and port_auth!=dot1x, whether the port should retain dynamically learned MAC addresses, default is false

mac_limit

int

max number of mac addresses, default is 0 for unlimited, otherwise range is 1 or higher, with upper bound constrained by platform

 

API Conditions:

  • If trunk mode is enabled, Persistent MAC will be disabled.

  • If 802.1x is enabled, this will cause a configuration failure event. This will need to be reverted from API.

  • If an invalid persist_mac value is entered, Persistent MAC will be disabled.

  • If an invalid mac_limit value is entered, Persistent MAC will be disabled and the MAC limit will be removed allowing unlimited MACs. The invalid character will appear in the UI’s port profile

 

UI Response: Unauthorized Device

In the event that an unauthorized device is connected to a Persistent Learning enabled interface; if the new device’s MAC would exceed the configured limit, the UI will respond. This device’s frame will be dropped and logged.

 

Events: MAC Limit Exceeded

Under Switch Insights, the “MAC Limit Exceeded” event will be generated as long as the unauthorized device is connected, and it exceeds the configured MAC limit.

 

Switch Tab and Front Panel: Sticky MAC error

In the Switch Tab, an error message will be displayed on the top of the page. The affected interface will be colored orange. Clicking on the error will redirect the user to the affected interface. This error can be removed by disconnecting the unauthorized device or by clearing the learned MAC address. Due note that if the MAC addresses are cleared, the interface will dynamically learn the MAC address of the currently connected device.