Sticky MAC
When a port is configured for Sticky MAC when a MAC address is learned for the first time, it will be persistently stored in the forwarding table. Once learned, it will be remembered across system reboots and can only be removed by a manual action by an Admin user.
MAC addresses will be learned up until the Max MACs in the ACL have been exceeded, and then it will no longer learn any further MAC addresses on that port. This allows you to set up the system for Sticky MAC on every port, plug in all the devices on the network, and once all the desired devices are learned, no further devices can be added to the network without manual actions or provisioning changes to the system.
Sticky MAC can also be used on ports with trusted servers to help limit the effect of DoS attacks on the system. This allows the advantages of statically configuring MACs without having to manually enter all the MAC addresses by hand.
The following example shows an ACL that is configured to allow a sticky MAC and only allows a single device to be attached to the port (Max MACs = 1).
EMS Sticky Mac Procedure
- Open a Panorama PON (EMS) session, click on the Profile button and the ACL tab.
- Select the EMS ACL Create a new profile icon and name the ACL profile to StickyMac-1.
- Click on the Create Rule button and perform the following steps:
Step 1: Enter "Rule 1" in Rule Name entry box:
Step 2: Select "Basic ACL" from the ACL Type Dropdown
Step 3: Select "Permit" from the Action Dropdown
Step 4: Select "Sticky Mac" from the SourceMAC(s) dropdown
Step 5: Click on the Add button to add the Source MAC to the source window
Step 6: Select the "Sticky Mac" entry in the Source Window
Step 7: Enter "1" in the Max MAC(s) entry box
Step 8: Click on the Save button to save the rule profile
- Click on the Apply button to add the ACL profile to the Profile Name window list.
- After the Profile has been generated the ACL status is displayed. Click on the Close button to complete the ACL profile.
CLI ACL Sticky Mac Procedure
- Open a CLI session and create a StickMac ACL profile.
- From the ESUx> command line, input profile acl create name=Stickymac-1, and press Enter. Output similar to the following is displayed:
ESUx> profile acl create name=StickeyMac-1 <enter>
success
ESUx> _
|
- From the ESUx> command line, input profile acl edit name=StickyMac-1 rule number=1 basic action=permit l2 et=ipv4-arp, and press Enter. Output similar to the following is displayed:
ESUx> profile acl edit name=StickyMac-1 rule number=1 basic action=permit l2 et=ipv4-arp <enter> success ESUx> _
Verify the CLI entry
- From the ESUx> command line, input profile acl show name=StickyMac-1, and press Enter. Output similar to the following is displayed:
ESUx> profile acl show name=StickyMac-1 <enter> | Access Control List Profile | |============================================================================| | Profile Name : StickyMac-1 | | | | Rule #1 | | Rule Identifier : Rule-1 | | Type : basic | | Action : permit | | | | Layer 2 | | Ethertype : IPv4/ARP (0x0800/0x0806) | | | | Source MAC(s) | | MAX Source MACs : 1 | | SA #1 : sticky | | | | Layer 3 | | | | Source IP/Subnet(s) | | | |============================================================================| ESUx> _
Previous | Next