Port MAC security overview

Port MAC security (PMS) feature allows you to configure the device to learn a limited number of secure MAC addresses on an interface. The interface forwards only packets with source MAC addresses that match these secure addresses.

The secure MAC addresses can be specified statically or learned dynamically. If the device reaches the maximum limit for the number of secure MAC addresses allowed on the interface and if the interface receives a packet with a source MAC address that is different from any of the secure learned addresses, it is considered a security violation.

If a violation occurs, the switch responds according to one of three modes, as summarized in the following table.

Table 1. Switch responses to security violations
Response	Description
Shutdown	The default. The physical port is shut immediately and drops all traffic. A RASlog, SNMP trap, or both is sent. All logical interface operations on the physical port are disabled.
Restrict	Traffic in violation is silently dropped until the number of secure address configures drops below the maximum. Learning is disabled. All logical interface operations on the physical port are disabled.

Note

If a source MAC address is learned on one secured port, and if the same MAC address ingresses on another secured port, a MAC move is allowed and is not considered a violation.

To avoid having to intervene manually every time a port-security violation forces an interface into the shutdown state, the user can enable autorecovery for port security violations. A recovery interval is configured in seconds. After this time period the port transitions automatically to the operational state. An age limit can be set globally for all secure addresses on a port. This feature effectively removes inactive secure addresses.

There are three types of secure MAC addresses that are used in port MAC security:

Static MAC address: These are the secure MAC addresses that are manually configured using the switchport port-security mac-address command. Static MAC addresses persist even if the port goes down; or after the device reboots, provided the config is saved. When static MAC address is configured on an access secure port, the MACs qualify for access VLANs, but on a trunk port, the VLAN must be specified.
Dynamic MAC address: These are the secure MAC addresses that the device learns automatically. Dynamically learned MAC address does not persist if the port goes down.
Sticky MAC address: These are the secure MAC addresses that are learned dynamically but are added automatically as static MAC addresses. When sticky MAC learning is enabled on a secured port, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. All the subsequent sets of dynamically learned MAC addresses will also be converted to sticky secure MAC addresses. If sticky MAC learning is disabled on a secure port, all the sticky MAC addresses will be converted back to dynamically learned MAC addresses. Similar to the static MAC address, sticky MAC addresses persist even if the port goes down; or if the device reboots, provided the config is saved.

If a MAC address already learned on a secured port is ingressing on a nonsecured port or through another secured port, this is not considered a security violation. In this case the MAC move occurs if the MAC is learned dynamically. If the MAC is static or sticky, then the MAC move does not occur. However, the traffic will still be switched according to the destination MAC.

Note

Secure MAC addresses age out based on the device MAC age value that is configured for the device.

Note

The maximum MAC address limit for sticky MAC address and static MAC address depends on the device limit. For dynamically learned MAC addresses, the maximum limit is 8192 per port.