MAC layer control – Sticky MAC and MAC Learning-limit

MAC layer control – Sticky MAC and MAC Learning-limit

Persistent MAC learning, or Sticky MAC, is a port security feature that lets an interface retain dynamically learned MAC addresses when a switch is restarted, or an interface goes down and then is brought back online.

Enabling Sticky MAC along with MAC Learning-limit restricts the number of MAC addresses that are learned. This prevents layer 2 Denial of Service (DoS) attacks, overflow attacks on the Ethernet switching table, and DHCP starvation attacks by limiting the number of MAC addresses that are allowed while still allowing the interface to learn a specified number of MAC addresses. The interface is secured because, after the specified limit has been reached, additional devices cannot connect to the port. Interfaces can be allowed to learn the MAC address of trusted workstations and servers from the time that the interfaces are connected to the network, until the MAC address limit is reached.

Prerequisites

  • Sticky MAC save is hardware and CPU intensive if there are too many entries.
  • Dual chip device models (X48 and XX48 FortiSwitch models) do not support MAC Learning-limit on VLANs, but still support it on FortiSwitch ports.

Enable Sticky MAC on the FortiSwitch ports view:

config switch-controller managed-switch edit S248EPTF18001384 config ports edit port6 set sticky-mac enable

next

end

next

end

Check the MAC-table on the FortiSwitch to see that the status of related MAC items on the Sticky MAC enabled ports has changed from dynamic to static:

Before Sticky-MAC is enabled:

diagnose switch mac-address list

MAC: 08:5b:0e:06:6a:d4 VLAN: 1 Port: port1(port-id 1) Flags: 0x00030440 [ hit dynamic src-hit native move ]

After Sticky-MAC is enabled:

diagnose switch mac-address list

MAC: 00:0c:29:d4:4f:3c VLAN: 1 Port: port6(port-id 6) Flags: 0x00000020 [ static ]

Save Sticky-MAC items into the database and delete others:

Saving Sticky-MAC items from the running memory into the database, and deleting unsaved items, will ensure that, even after the FortiSwitch is rebooted, the trusted MAC addresses will be kept and will not need to be relearned.

execute switch-controller switch-action sticky-mac save all S248EPTF1800XXXX S248EPTF1800XXXX: Save started…

Warning: Please wait save will take longer time upto 30 seconds…

Collecting config data….Done

Collecting hardware data….Done

Saving….Done

Sticky MAC entries saved = 1 —————-> Number of saved Sticky MAC items is shown execute switch-controller switch-action sticky-mac delete-unsaved all S248EPTF1800XXXX

Configure the MAC Learning-limit under the VLAN or managed FortiSwitch ports view:

VLAN view:

config system interface edit vsw.aggr1 set switch-controller-learning-limit 10

next

end

Ports view:

config switch-controller managed-switch edit S248EPTF1800XXXX config ports edit port6 set learning-limit 11

next

end

next

end

Quarantine

When the FortiGate detects devices that have lower trust scores, lack mandatory installed software, or are sending out malicious traffic, an administrator can quarantine the device from the normal switch VLAN to the quarantine VLAN. This can limit the device’s access, or provide them specific information on the quarantine portal page.

To quarantine an active device:

Using the CLI, based on the device’s MAC address:

config user quarantine config targets edit “manual-qtn-1” set description “Manually quarantined” config macs edit 00:0c:29:d4:4f:3c

set description “manual-qtn ”

next

end

next

end

end

Using the GUI:

  1. On the FortiGate, go to Security Fabric > Physical Topology, or Security Fabric > Logical Topology.
  2. Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.
  3. Click OK in the Quarantine Host page to quarantine the device.

The quarantined device is moved to the quarantine VLAN, and the configuration of the FortiSwitch port does not change.

The quarantined device gets its IP address from the DHCP server on the quarantine VLAN interface. The network locations that the device can access depends on the firewall policies that are configured for the quarantine VLAN interface. By default, the device must acknowledge and accept the information on the Quarantine Portal before it can access any part of the network.

Release or clear the quarantine targets:

Using the CLI:

config user quarantine config targets delete “manual-qtn-1” …

end

end

config user quarantine config targets purge

end

end

Using the GUI:

  1. Go to Monitor> Quarantine Monitor.
  2. Delete the quarantine targets as needed, or click Remove All to delete all the targets.
This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.