Allowing the port to continuously learn MAC addresses is a security risk.
What is switchport port security mac address sticky manual#
Sticky MAC is an alternative to the tedious and manual configuration of static MAC addresses on a port or to allow the port to continuously learn new MAC addresses after interface-down events. Sticky MAC is a port security feature that dynamically learns MAC addresses on an interface and retains the MAC information in case the Mobility Access Switch reboots. When the MAC limit is enabled, it provides support to log the excess MACs or drop the new MAC learning requests or shuts down the port. The MAC limit feature restricts the maximum number of MACs that can be learnt on the interface. An error will be displayed when you try to enable this functionality on HSL interfaces. The Loop Protect functionality will work only on non-HSL interfaces. The Loop Protect functionality will not detect any loops when MSTP or PVST (on any VLAN) is enabled on the Mobility Access Switch. It is recommended that you enable Loop Protect on all the Layer 2 interfaces when the spanning tree is disabled on the Mobility Access Switch. You can re-enable the port automatically or manually. When the system detects a loop, it disables the port that sends the PDU. A proprietary protocol data unit (PDU) is used to detect the physical loops in the network. You can enable or disable this functionality at an interface level.
The Loop Protect functionality detects the unwanted physical loops in your network. You must explicitly enable DHCP Trust (trust dhcp) in the port-security-profile (if applied to a port) to allow these DHCP messages from valid devices.
By default, the DHCP Trust setting in a port-security-profile is to filter (block) these OFFER and ACK messages. You can enable DHCP trust on any interface. The following IPv4 DHCP messages are filtered on an interface configured not to trust DHCP. The DHCP trust functionality provides support to filter the IPv4 DHCP packets from the unauthorized devices. Unicast RA messages with multiple extension headers. The following Unicast RA messages are not filtered by enabling the RA guard: RA message with multiple extension headers The following RA messages are filtered by enabling the RA guard: The port can be re-activated after the configured time by configuring the auto-recovery option. By enabling, the RA packets received on the interface are dropped and the port can be shutdown based on the interface configuration. The RA guard feature is disabled by default. The Router Advertisement (RA) Guard functionality analyzes the RAs and filters out RA packets sent by unauthorized devices. You can now filter the unauthorized devices to send the control packets, restrict the number of MACs allowed on the interface, and detect unwanted loops in the network when not running spanning-tree protocol. This release of ArubaOS Mobility Access Switch supports Port Security functionality which provides network security at Layer 2. Port Security Overview Port Security Overview