# Sticky MAC address

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/sticky-mac-address

## Quick definition

A Sticky MAC address is like giving a specific spot in a meeting room only to a known person. When a device connects to a switch port, the switch records that device’s unique hardware address and then only allows that device to use the port in the future. If a different device tries to connect, the switch blocks it. This helps keep the network safe from unauthorized access.

## Simple meaning

Think of a Sticky MAC address as a very strict door policy for a private club. When you first walk up to the door, the bouncer (the switch) asks for your ID (your device’s MAC address). The bouncer writes your name and face on a guest list and allows you in. From that moment on, the bouncer remembers your face. Every time you come back, you are allowed in instantly because you are on the list. Now, imagine a stranger tries to enter using the same door. The bouncer checks the list, sees that the stranger’s face does not match your name, and denies entry. That is exactly how Sticky MAC address works on a network switch. When a computer or any device first connects to a specific port on the switch, the switch learns that device’s MAC address and stores it in a special memory table. The switch then says to itself, Only this one device is allowed on this port from now on. If someone unplugs that computer and plugs in a different computer, or if an attacker tries to connect a rogue device, the switch detects the new MAC address and immediately blocks the port or takes a configured action, like sending an alert. This method is very useful in environments where you want total control over which devices are allowed to plug into your network. For example, in an office with sensitive data, you can make sure that only company-issued laptops can connect to the network ports on the desks. Sticky MAC address is not a permanent rule written by a network administrator. Instead, the switch learns the MAC address automatically the first time it sees traffic from that device. That is why it is called sticky. It sticks to the port. Once learned, the MAC address is saved into the running configuration of the switch, and if the switch is rebooted, it will still remember the learned address if the configuration has been saved. The whole idea is to add a layer of security without needing to manually type in every device’s hardware address. It is a simple, dynamic way to ensure that only known devices can get onto your local network. However, there is a catch. If a device’s network card fails and is replaced, the new card will have a different MAC address, and the port will block it until the sticky entry is cleared or updated. So, while Sticky MAC is great for security, it also requires some management when devices need to be swapped out. Overall, it is a foundational concept for anyone studying network security and switch configuration, especially for exams like CCNA, Network+, and Security+.

## Technical definition

Sticky MAC address is a security feature implemented on network switches, primarily at Layer 2 of the OSI model, to control port access based on the source MAC address of connected devices. The feature falls under the category of port security a standard component of Cisco IOS and other switch operating systems. When port security is enabled and configured with the sticky learning option, the switch dynamically learns MAC addresses that ingress on a given port and converts those dynamically learned addresses into what are effectively static secure MAC addresses, but without requiring manual administrative input. The process begins when the switch receives a frame on a port where port security is enabled with sticky MAC learning. The switch examines the source MAC address in the Ethernet header. If the source MAC address is not already in the secure MAC address table for that port, and if the maximum number of allowed secure MAC addresses for that port has not been reached, the switch adds that MAC address to its running configuration as a sticky MAC address. The entry is written as a port-security mac-address sticky command line in the switch configuration. This learned address is then stored in the running configuration and, if saved to the startup configuration using copy running-config startup-config, it persists across reboots. The sticky MAC address feature operates in conjunction with other port security parameters, including the maximum number of secure MAC addresses allowed per port, the violation mode, and the aging policy. The violation mode can be set to protect, restrict, or shutdown. In protect mode, frames from unknown MAC addresses are dropped with no notification. In restrict mode, frames are dropped and a Simple Network Management Protocol (SNMP) trap is generated, and the violation counter is incremented. In shutdown mode, the port is placed into an error-disabled state, effectively disabling it until manually or automatically recovered. When sticky MAC addresses are used, the most common violation mode is shutdown, because it provides a clear, visible indication that an unauthorized device has attempted to connect. The technical standards supporting this feature include IEEE 802.1D for transparent bridging, which is the foundation for MAC address learning in switches. However, sticky MAC addresses extend beyond standard learning by converting dynamic entries into sticky entries that behave like static entries in terms of persistence and security. The switch maintains a secure MAC address table separate from the regular MAC address table. The regular MAC address table is used for forwarding decisions and is learned dynamically, with entries aging out after a default timeout of 300 seconds. The secure MAC address table, on the other hand, holds sticky addresses that do not age out unless explicitly configured to do so. This distinction is critical for examination purposes. For example, in a Cisco CCNA exam, you might be asked to configure port security with sticky MAC learning on an interface, set the maximum number of secure addresses to 1, and set the violation mode to shutdown. The configuration commands would be entered in global configuration mode and then interface configuration mode. The commands are switchport port-security, switchport port-security maximum 1, switchport port-security violation shutdown, and switchport port-security mac-address sticky. After these commands are entered, the switch will learn the first MAC address it sees on that port and mark it as sticky. In real IT implementation, sticky MAC addresses are used in environments where physical security is important but where manual MAC address entry would be too time-consuming. For example, in a college computer lab, each port can learn the MAC address of the computer assigned to that desk. If a student brings in a personal laptop and swaps the cable, the port will shut down, alerting the network administrator. The implementation also requires consideration of MAC address table size limitations. Each switch has a finite amount of memory for storing MAC addresses, and using sticky addresses consumes entries that would otherwise be used for dynamic learning. In large networks, this can become a resource issue. Sticky MAC address does not protect against MAC address spoofing at the application layer or against attacks that use the same MAC address as an authorized device on a different port. Advanced security mechanisms such as 802.1X authentication, DHCP snooping, and dynamic ARP inspection are often used in conjunction with sticky MAC to provide a more robust security posture. Sticky MAC address is a Layer 2 security tool that balances ease of deployment with port access control. It is not a full security solution but a component of a layered defense strategy.

## Real-life example

Imagine you run a small community library with five public computers for visitors. Each computer is at a specific desk, and each desk has a single network port in the floor. You want to make sure that only the library computer can use that port, not someone who brings in their own laptop and unplugs the library machine. This is where a Sticky MAC address works like a specific parking spot for a specific car. Think of each network port as a reserved parking spot in a parking garage. When the library computer first plugs into the port, it is like a car parking in that spot for the very first time. The parking attendant (the switch) takes a photograph of the car’s license plate (the MAC address) and writes down the spot number. From that day on, the attendant will only allow that exact license plate to park in that spot. If a different car tries to park there, the attendant puts up a barrier and does not let it in. In the library, when a visitor unplugs the library computer and plugs in their own laptop, the switch sees a different MAC address from the one it learned as sticky. Immediately, the switch blocks the port. The visitor’s laptop cannot get a network connection, and the library staff knows something is wrong because that port is no longer working. Meanwhile, the library computer that was unplugged will work on any other port because it has its own MAC address that will be learned as sticky when it connects elsewhere, if sticky is enabled on that other port as well. But more importantly, the security policy is enforced automatically without the staff having to manually type in all the MAC addresses of the library computers ahead of time. The first time each computer booted up, the switch learned its address and stuck it to that port. The analogy extends to a small office where each employee has a docking station. When the employee connects their company laptop to the docking station, the switch learns that MAC address and will not allow a visitor’s computer to use the same cable. This prevents an attacker from simply unplugging a worker’s laptop and plugging in a rogue device to gain network access. The sticky MAC address is the first line of defense. However, just like a parking spot that is reserved, if the employee gets a new company laptop with a different MAC address, the parking spot must be updated. The network administrator must clear the old sticky entry and let the new laptop be learned. That is a small inconvenience for the security gained. The analogy also shows the limitation if someone simply spoofs the license plate of the authorized car, they could park in the spot. In networking terms, if an attacker knows the MAC address of the authorized device and configures their device to use that same MAC address, they can bypass sticky MAC. That is why sticky MAC is often combined with other security methods like 802.1X, which requires a username and password in addition to the MAC address. So, while the parking spot analogy is useful, it also helps learners understand that sticky MAC is not an unbreakable security measure. It is a convenient way to automatically learn and enforce which device can connect to a specific port, much like a reserved parking spot with a vigilant attendant.

## Why it matters

In practical IT, Sticky MAC address matters because it provides a simple, automated way to enforce physical port security without needing to manually compile and enter lists of MAC addresses for every device. In many business and educational environments, devices are assigned to specific locations, such as a fixed workstation in an office, a point-of-sale terminal in a retail store, or a computer in a school lab. Sticky MAC ensures that if someone disconnects the authorized device and connects an unknown device, the switch will block the port and alert the administrator. This reduces the risk of unauthorized network access, which could lead to data breaches, malware injection, or network disruption. From a network management perspective, sticky MAC saves time. Without it, an administrator would need to either disable port security entirely or manually enter the MAC address of every authorized device, which is tedious and error-prone, especially when devices are replaced or moved. Sticky MAC automates the learning process while still enforcing a strict one-to-one or few-to-one mapping between devices and ports. It also provides an audit trail. When a port is shut down due to a violation, the administrator can check the logs and see that a device with an unfamiliar MAC address tried to connect at that specific time. This can help identify physical security breaches or even simple employee mistakes, like someone plugging their personal phone into a charger that also transfers data. However, sticky MAC is not without trade-offs. In networks where devices are frequently changed, such as a hospital with mobile workstations, sticky MAC can become a management headache. The administrator must clear the old sticky entries before the new device can connect. This can lead to downtime and support calls. Also, because MAC addresses can be spoofed, sticky MAC is not sufficient as a standalone security measure in high-security environments. It is best used as part of a defense-in-depth strategy that includes VLAN segmentation, 802.1X authentication, and intrusion detection systems. Ultimately, sticky MAC matters because it is a widely tested concept in certification exams and a commonly implemented feature in real-world campus networks. Understanding when and how to use it, as well as its limitations, is essential for any network technician or administrator.

## Why it matters in exams

Sticky MAC address is a heavily tested concept in several IT certification exams, most notably in the Cisco CCNA (200-301) and CompTIA Network+. For the CCNA, port security with sticky MAC is a core part of the Switching Technologies section. You are expected to know how to configure it, how it behaves, and how to troubleshoot it. Exam questions often present a scenario where a switch port is configured with port security and sticky MAC, and then a different device is connected. You must predict whether the port will go into error-disabled state, or whether the device will be allowed, and what commands would be used to verify the configuration. The command show port-security interface is a key verification command. In the Network+ exam (N10-008), sticky MAC is covered under network security and switching. You are expected to understand the concept and be able to compare it to other security features like MAC address filtering and 802.1X. Questions might ask about the purpose of sticky MAC and when it would be appropriate to use it. The Security+ exam (SY0-601) includes sticky MAC as part of network security controls. While it is not a primary focus, you are expected to understand that it is a Layer 2 security measure to prevent unauthorized device access. Questions may appear in the context of defense in depth or endpoint security. For the AWS Solutions Architect Associate (AWS-SAA) and Azure Administrator (AZ-104), sticky MAC is not a direct concept because those exams focus on cloud networking, virtual private clouds, and software-defined networking where physical switch ports are abstracted. However, you might encounter the term in the context of AWS Direct Connect or Azure ExpressRoute where MAC-level security is sometimes mentioned. It is considered light supporting knowledge for these exams. For the Google Associate Cloud Engineer (Google ACE), the relevance is similarly light supporting. However, for the CompTIA A+ (Core 2), sticky MAC is a basic network security concept that may appear in questions about securing a small office or home network. It is considered light supporting because A+ focuses more on hardware and basic connectivity. In all exams, the key points to remember are that sticky MAC dynamically learns the first device’s MAC address, that the default violation mode is shutdown, that the learned address is kept in the running configuration, and that you need to save the configuration to make the sticky entry permanent across reboots. Also remember that sticky MAC does not prevent MAC address spoofing and that it can be combined with a maximum MAC address limit. Exam traps often involve a scenario where the switch is reloaded without saving the configuration, causing the sticky MAC entries to be lost and all devices to be relearned. Another trap is that sticky MAC is only effective if port security is enabled and the sticky keyword is used; simply enabling port security without the sticky keyword results in dynamically learned MAC addresses that will age out and be relearned, which is not the same as sticky.

## How it appears in exam questions

In certification exams, Sticky MAC address appears in several distinct question patterns. The most common is the scenario question. For example, you are given a network diagram showing a switch port connected to a single workstation. The question states that the network administrator wants to allow only that specific workstation to connect to that port, and wants the switch to automatically learn the workstation’s MAC address without manual entry. You are asked which two configuration commands are required. The answer would be switchport port-security and switchport port-security mac-address sticky. Another pattern is the troubleshooting question. You are presented with a show running-config output for an interface. The configuration shows switchport port-security maximum 2, switchport port-security violation shutdown, and switchport port-security mac-address sticky. The question asks what will happen if a third device attempts to connect to that port. The correct answer is that the port will go into error-disabled state because the maximum MAC address limit of 2 has been exceeded, and the violation mode is shutdown. A variation of this question might ask what command you would use to verify the error. The answer is show interfaces status or show port-security interface. Another pattern is the comparison question. You are asked to differentiate between sticky MAC and static MAC addresses. The correct distinction is that sticky MAC addresses are learned dynamically and then become sticky, while static MAC addresses must be manually configured. Sticky MAC addresses persist after a reboot only if the configuration is saved. Static MAC addresses always persist because they are part of the configuration file. There is also the conceptual question. For example, Which of the following is a disadvantage of using sticky MAC addresses? The correct answer might be that if a device’s network interface card is replaced, the port will not allow the new device to connect until the old sticky entry is cleared. Another conceptual question might ask about the security effectiveness of sticky MAC. The answer would include that it does not prevent MAC address spoofing and that a determined attacker can bypass it. Finally, there are command-specific questions. You might be asked to complete a command to enable sticky MAC learning on a specific interface. The command would be switchport port-security mac-address sticky. You might also be asked to identify the command that shows the MAC addresses learned on a specific port, which is show mac address-table interface or show port-security address. In all these question types, the key is to know the exact behavior of sticky MAC: it learns the first MAC address, it does not age out by default, it can be part of a maximum limit, and it can cause a port to shut down if a violation occurs.

## Example scenario

Imagine you are the network administrator for a small accounting firm with 20 employees. Each employee has a fixed desk with a network port. The company has a strict policy that only company-issued laptops can connect to the internal network to protect client financial data. You decide to use Sticky MAC addresses on all switch ports to enforce this policy automatically. On Monday morning, you connect your own company laptop to port 1 and boot it up. The switch learns the MAC address of your laptop and sticks it to port 1. Then you connect a colleague’s laptop to port 2, and the same thing happens. By the end of the day, all 20 ports have learned the MAC addresses of the assigned laptops. On Tuesday, a new intern comes in and is given a desk. But the intern’s laptop has not been pre-configured. When the intern connects, the port that his laptop is plugged into has already learned the MAC address of the previous employee’s laptop (which was moved to a different desk). The intern’s laptop has a different MAC address. The switch detects this and immediately places the port into error-disabled state. The intern cannot access the network. You get an alert via SNMP or you notice the port status light is off. You check the switch and see that port 12 is in err-disabled state. You review the log and see it was due to a port security violation on that port. You then need to clear the old sticky MAC entry from port 12. You do this by entering interface configuration mode for port 12 and using the command no switchport port-security mac-address sticky [old-mac]. Then you instruct the intern to reboot or reconnect his laptop so that the switch can learn the new MAC address and make it sticky. After that, the port comes up and the intern can work. This scenario shows exactly how sticky MAC works in a real office. It also highlights the administrative overhead when devices change. If you had not used sticky MAC, you would have had to manually type the MAC address of every laptop, which is tedious. But now you have to manually clear old entries when devices are swapped. The scenario also illustrates why a network administrator might set the maximum MAC address on a port to 1, so that only one device is allowed at a time. This prevents someone from connecting a hub or switch and plugging multiple devices into the same port, which would bypass the security control.

## Understanding Sticky MAC Address: Definition and Core Purpose

A Sticky MAC address is a security feature implemented on Cisco switches that dynamically learns MAC addresses on a port and then permanently binds them to that port's configuration. Unlike standard dynamic MAC learning, which forgets addresses when the switch reboots or the link goes down, sticky MAC addresses are saved into the running configuration as if they were statically configured. This makes them persistent across reboots and link flips, providing a robust layer of port security without requiring manual static entries for every authorized device.

The primary purpose of sticky MAC addresses is to prevent unauthorized devices from accessing the network through a switch port. In a typical enterprise environment, a switch port might be assigned to a specific workstation, VoIP phone, or printer. By enabling sticky MAC learning, the switch records the first MAC address it sees on that port and immediately converts it into a sticky entry. If a different device later attempts to use that port, the switch can either drop the traffic, generate a security violation alert, or shut down the port entirely, depending on the configured violation mode. This behavior enforces a strict one-to-one mapping between a physical port and its authorized device.

From an exam perspective, sticky MAC addresses are frequently tested in certifications like the CCNA, Network+, and Security+. They represent a blend of switch security and configuration management. Candidates must understand that sticky MAC addresses are not a separate protocol but a feature of port security. They coexist with other port security options such as static MAC addresses and dynamic MAC limit. Sticky learning reduces administrative overhead because the switch automatically populates the allowed MAC list based on real traffic patterns. However, this convenience comes with operational considerations. For example, if a legitimate device is replaced, the sticky MAC entry must be manually cleared or the port must be shut down and re-enabled to allow the new MAC to be learned.

Another critical aspect is that sticky MAC addresses are stored in the running configuration, not in non-volatile RAM (NVRAM) by default. To make them truly persistent across router or switch reloads, the configuration must be saved using the "copy running-config startup-config" command. Forgetting this step is a common pitfall in both real-world deployments and exam labs. When the switch reboots without a saved configuration, all sticky entries are lost, and the port re-enters its default learning state. This can cause unexpected access issues and security gaps.

In multi-vendor environments, similar functionality exists under different names. For example, on HP Aruba switches, a feature called "MAC lockdown" offers analogous behavior. However, the CCNA and Network+ exams focus heavily on Cisco's implementation because of its widespread use in the certification industry. Understanding sticky MAC addressing also ties into broader topics like DHCP snooping, dynamic ARP inspection, and IP Source Guard, which depend on MAC-to-IP bindings for security. Sticky MAC provides the foundational MAC binding that other features rely on.

Finally, sticky MAC addresses are not recommended for ports that must connect multiple devices such as trunk ports or ports with VoIP phones and PCs behind them, unless careful MAC limits are enforced. The feature is best suited for access ports in secure environments where each port serves exactly one endpoint. By mastering sticky MAC addresses, IT professionals can harden their network against MAC spoofing and unauthorized physical access, which are common attack vectors in security-plus and related exams.

## Step-by-Step Configuration of Sticky MAC Address on Cisco Switches

Configuring sticky MAC addresses on a Cisco switch involves a series of commands that activate port security and set the sticky learning behavior. The process begins at the interface configuration mode. The first command is "switchport port-security", which enables the port security feature on a Layer 2 access port. Without this command, no MAC learning restrictions apply. Port security is only supported on access ports by default; on trunk ports, additional parameters are required, but sticky MAC is rarely used on trunks due to the high number of MAC addresses involved.

Next, the administrator sets the maximum number of MAC addresses allowed on the port using "switchport port-security maximum <value>". For a single-device port, the value is typically 1. For VoIP ports where a phone and PC share the same port, a common value is 2. The sticky learning is activated with "switchport port-security mac-address sticky". This command tells the switch to convert dynamically learned MAC addresses into sticky entries automatically. After enabling sticky, the switch begins monitoring incoming frames. The first unique source MAC address it sees is recorded and added to the running configuration as a per-interface sticky MAC statement. For example, the running configuration will show "switchport port-security mac-address sticky 0011.2233.4455".

An optional but important step is to pre-configure known MAC addresses manually even before the device connects. This can be done with "switchport port-security mac-address sticky <mac>", which forces the port to accept only that specific MAC. This is useful for critical servers or emergency shutdown ports where zero tolerance for change is required. After configuration, the sticky MAC addresses appear in the running config and must be saved to the startup config to survive a reboot.

Once the basic configuration is complete, the administrator must define the violation mode using "switchport port-security violation {protect | restrict | shutdown}". The protect mode silently drops frames from unauthorized MACs without sending alerts. Restrict mode drops frames but also generates a syslog message and increments a counter. Shutdown mode disables the port completely until an administrator manually issues "no shutdown". Shutdown is the most secure but requires administrative intervention to restore service. In exam scenarios, shutdown is often the default and most tested violation mode.

For practical verification, the command "show port-security" displays a summary of all ports with port security enabled, including their violation counts. "show port-security interface <interface-id>" gives detailed information such as the current MAC addresses, sticky status, and last violation timestamp. These show commands are critical for troubleshooting and are frequently examined in CCNA and Network+ labs.

A common exam challenge involves configuring sticky MAC addresses on a switch that already has dynamic MAC entries. In that case, the administrator must first clear the dynamic entries using "clear port-security sticky" or "clear mac-address-table dynamic" before enabling sticky. Otherwise, existing dynamic entries may not convert, leading to confusion. Another nuance is that sticky MAC entries are not automatically removed if the port configuration is removed. They persist until explicitly deleted via "no switchport port-security mac-address sticky <mac>".

Understanding the exact command sequence and their implications is essential for passing configuration-based exam questions. The process reinforces the principle of network security at Layer 2, which is a foundational topic for the Security+ and AZ-104 exams where Azure network security groups often translate to similar concepts in the cloud. By mastering these steps, candidates demonstrate a deep grasp of access-layer hardening.

## Sticky MAC Address States, Violation Modes, and Their Practical Implications

Sticky MAC addresses exist in different states depending on how they were learned and whether the port is in a violation condition. Understanding these states is crucial for both configuration and troubleshooting. The three primary states are dynamic (pre-sticky), sticky (learned and saved), and static-sticky (manually defined). Dynamic entries are temporary; they are learned when port security is enabled but before sticky is activated, or when sticky is disabled. These entries disappear after a reboot or after the MAC aging timer expires. Sticky entries, on the other hand, are written into the running configuration and persist until explicitly removed or the port security feature is disabled.

When a sticky MAC address is first learned, the switch records it along with the port's VLAN and interface. It is immediately added to both the MAC address table and the running configuration. At this point, the MAC is considered "secure." If a different MAC address attempts to send traffic through the same port, the switch compares it against the secure MAC list. If the maximum limit is reached and a new MAC appears, the port enters a violation state. The specific behavior depends on the violation mode configured.

In protect mode, the switch simply drops the offending frames. No alert is sent, and the switch continues to operate normally for the authorized MAC. This mode is useful when network uptime is critical and the risk of unauthorized access is low. However, it provides zero logging, which can make forensic analysis difficult. Restrict mode offers a compromise: frames are dropped, but the switch increments a violation counter and sends a syslog message. This allows administrators to monitor unauthorized attempts without taking the port offline. The shut-down mode is the most aggressive: the switch immediately transitions the port to an error-disabled state. The LEDs on the switch may turn amber, and all traffic stops on that port. Recovery requires manual intervention via "errdisable recovery cause psecure-violation" or a simple "shutdown" followed by "no shutdown".

A fourth, less common state is the "aging" state. Sticky MAC addresses are not subject to the MAC aging timer by default, but administrators can configure an aging time to force the switch to re-learn MACs periodically. This is done with "switchport port-security aging <time>" and the type can be set to "absolute" or "inactivity." In absolute mode, the MAC is removed after a fixed time, even if the device is still active. In inactivity mode, the MAC is removed only if the device stops transmitting for that duration. Using aging with sticky MACs can be risky because it defeats the persistence purpose, but in high-turnover environments like hotel rooms or conference floors, it allows automatic de-authorization of old devices.

From an exam perspective, knowing the difference between these states and modes is fundamental. For example, the Security+ exam often presents a scenario where an administrator wants to log violations without disabling the port; restrict mode is the correct answer. The CCNA exam may ask which command prevents a port from going error-disabled while still blocking unknown MACs; that would be the "protect" mode. Similarly, the Network+ exam might test the concept of error-disabled recovery using the "errdisable" commands.

A frequently overlooked detail is that sticky MAC states are not VLAN-aware by default. If a port is configured as a trunk, sticky MAC learning applies to all VLANs unless specifically limited. This can cause unexpected issues when a device changes its source MAC due to virtualization or VPN protocols. In such cases, the switch may enforce the sticky rule against legitimate traffic, causing connectivity loss. Understanding these nuanced behaviors helps IT professionals design more resilient port security policies and prepares them for complex exam scenarios where multiple concepts intersect.

## Limitations and Best Practices for Sticky MAC Address Deployment

While sticky MAC addresses offer a straightforward way to secure switch ports, they come with significant limitations that administrators must understand. One primary limitation is scalability. In environments with hundreds or thousands of access ports, maintaining sticky MAC entries becomes unmanageable if every port requires a unique sticky configuration. The running configuration file can bloat to an enormous size, and troubleshooting can become complex. For example, if a port is moved or replaced, the associated sticky MAC must be manually removed using the "no switchport port-security mac-address sticky <mac>" command. Failing to do so can result in the old MAC being considered authorized even after the device is moved, creating a security hole.

Another major limitation is that sticky MAC addresses are entirely dependent on the first device that connects to the port. If a technician connects their laptop to a port intended for a printer, the switch will learn the laptop's MAC and bind it permanently. Subsequently, when the printer connects, the port will violate. This means sticky MAC is only effective in environments with strict physical access control and when the initial device is guaranteed to be the authorized one. In real-world networks, this assumption often fails, leading to operational disruptions.

Sticky MAC also does not protect against sophisticated attacks where an attacker clones a legitimate MAC address after the sticky binding is established. Since the switch only checks source MAC addresses, a cloned frame with the same MAC will pass through unimpeded. Therefore, sticky MAC should be combined with other security features like 802.1X authentication, DHCP snooping, and dynamic ARP inspection to provide defense-in-depth. In the Security+ and CCNA exams, this layered approach is frequently tested; candidates must know that sticky MAC alone is insufficient against determined adversaries.

Best practices for deploying sticky MAC include using it only on switch ports that connect to fixed, known endpoints such as servers, security cameras, or dedicated workstations. For ports where devices may change frequently (e.g., conference rooms, guest access), dynamic MAC learning with a strict MAC limit and aging is a better option. Another best practice is to always pre-configure sticky MAC entries for critical ports rather than relying on automatic learning. This eliminates the risk of an unauthorized device being the first to connect. Administrators should regularly audit the running configuration for obsolete sticky entries using scripts or network management tools.

From a performance perspective, sticky MAC addresses add negligible overhead because they use the existing MAC address table. However, the violation mode chosen directly impacts network uptime. Using shutdown mode on all ports can lead to mass outages if a misconfigured device triggers many violations simultaneously. A recommended approach is to use restrict mode on ordinary access ports to detect anomalies without service disruption, and save shutdown mode for ports connected to high-security zones. The command "errdisable recovery cause psecure-violation interval 300" can automatically re-enable ports after a five-minute timeout, combining security with resilience.

Exam questions often test these nuances by presenting a scenario where an administrator cannot connect a new device to a port that previously had a different sticky MAC. The solution involves either clearing the sticky entry or disabling and re-enabling port security. The CCNA may ask about the effect of saving the running configuration after sticky learning. The correct answer is that the sticky entries are retained only if the configuration is saved. These practical details prepare candidates for both the written exams and real-world network administration tasks.

## Common mistakes

- **Mistake:** Thinking that sticky MAC addresses are manually entered by the administrator.
  - Why it is wrong: Sticky MAC addresses are dynamically learned by the switch the first time a device sends traffic on a port. The administrator does not type them in. They become sticky only after learning.
  - Fix: Understand that sticky means the switch learns and remembers automatically, not that the administrator manually types it.
- **Mistake:** Believing that sticky MAC addresses survive a switch reboot without saving the configuration.
  - Why it is wrong: Sticky MAC entries are stored in the running-config. If the switch is rebooted before the running-config is saved to the startup-config, the sticky entries are lost and the switch will learn new MAC addresses as if from scratch.
  - Fix: Always save the configuration with 'copy running-config startup-config' after sticky MAC addresses have been learned.
- **Mistake:** Assuming sticky MAC prevents all unauthorized access because it blocks unknown MACs.
  - Why it is wrong: An attacker can spoof the allowed MAC address. Sticky MAC only checks the MAC address, not the identity of the user or device. It is not a strong security measure by itself.
  - Fix: Use sticky MAC along with other methods like 802.1X, DHCP snooping, and VLAN segmentation for better security.
- **Mistake:** Configuring sticky MAC but forgetting to enable port security first.
  - Why it is wrong: The 'switchport port-security mac-address sticky' command will be rejected or have no effect if port security is not already enabled on that interface with 'switchport port-security'.
  - Fix: Always issue 'switchport port-security' before 'switchport port-security mac-address sticky'.
- **Mistake:** Setting the maximum MAC addresses to a number lower than the number of sticky addresses already learned.
  - Why it is wrong: If you reduce the maximum below the number of currently learned sticky entries, the switch will generate a violation and may shut down the port. The configuration change is not automatically safe.
  - Fix: Before reducing the maximum, clear excess sticky entries using 'no switchport port-security mac-address sticky <mac>'.

## Exam trap

{"trap":"A question says a switch port has port security enabled with sticky MAC learning, and the switch is reloaded. The question asks if the sticky MAC addresses will be retained.","why_learners_choose_it":"Learners see sticky and think it means permanent. They do not realize that sticky entries are only in the running configuration and are lost on reboot unless saved.","how_to_avoid_it":"Remember that sticky MAC addresses are stored in the running-config. They must be copied to the startup-config to survive a reload. The correct answer is that they are lost unless the administrator saved the configuration. Always look for clues about whether the config was saved."}

## Commonly confused with

- **Sticky MAC address vs Static MAC address:** A static MAC address is manually configured by the administrator and remains in the configuration permanently. A sticky MAC address is learned automatically and then becomes sticky. Both prevent new devices from connecting, but static requires manual entry while sticky is automatic. (Example: If you want to allow a printer with a specific MAC address on port 5, you would type the MAC in manually (static). If you want to allow whatever device is plugged in first and then lock the port, you use sticky.)
- **Sticky MAC address vs Dynamic MAC address:** A dynamic MAC address is learned normally by the switch and ages out after a timeout. A sticky MAC address is also learned dynamically but does not age out and is saved in the running config. Dynamic addresses are for normal switching; sticky is for security. (Example: Normal switching uses dynamic MAC addresses to forward frames to the correct port. Sticky MAC locks that learning so only the first device is allowed.)
- **Sticky MAC address vs MAC address filtering:** MAC address filtering is a broader term that can refer to allowing or blocking devices based on their MAC address at various points like wireless access points or firewalls. Sticky MAC is a specific implementation of MAC filtering on a switch port that uses automatic learning. (Example: A wireless router can use MAC filtering to allow only certain devices to connect to Wi-Fi. A switch uses sticky MAC to allow only certain devices on a physical port.)
- **Sticky MAC address vs Port security violation modes (protect, restrict, shutdown):** These are configuration options for what happens when a violation occurs on a port with port security. Sticky MAC is the method of learning the addresses. They are not the same; you can have sticky MAC with any of the three violation modes. (Example: You can set sticky MAC with violation mode shutdown, so the port shuts down when a different device connects. Or you can set it with violation mode restrict, where the port stays up but drops traffic from unknown devices and sends an alert.)

## Step-by-step breakdown

1. **Enable port security on the interface** — Before any sticky learning can happen, you must first enable port security using the command switchport port-security in interface configuration mode. This activates the port security feature for that specific port. Without this, the switch will not monitor MAC addresses at all.
2. **Configure the maximum number of secure MAC addresses** — Use switchport port-security maximum <number> to set how many MAC addresses are allowed on that port. For sticky MAC, this is often set to 1, but it can be higher if multiple devices need to connect through a hub or if you want to allow a specific set. The default maximum is 1 when port security is enabled.
3. **Set the violation mode** — Use switchport port-security violation {protect | restrict | shutdown} to define what happens when an unauthorized device tries to connect. The most common setting for sticky MAC is shutdown, because it gives a clear indication of an attempted breach. The port will go into error-disabled state.
4. **Enable sticky MAC learning** — The command switchport port-security mac-address sticky tells the switch to convert dynamically learned MAC addresses into sticky entries. This command does not itself learn an address; it enables the feature so that when a device sends traffic, its MAC address is learned and then marked as sticky.
5. **Connect a device and verify learning** — When a device is physically connected and sends any Ethernet frame (like a DHCP request or an ARP packet), the switch examines the source MAC address. If the port is not already full, the switch adds this MAC to the running configuration as a sticky entry. You can verify this with show port-security interface or show running-config interface.
6. **Save the configuration** — Sticky MAC entries are stored in the running configuration. To make them survive a switch reboot, you must save the running configuration to the startup configuration using copy running-config startup-config. If this step is skipped, all sticky entries will be lost and the port will re-learn the first device it sees after reboot.
7. **Manage and clear sticky entries as needed** — If a device is replaced or moved, the old sticky MAC entry must be removed from the port before a new device can be learned. Use the command no switchport port-security mac-address sticky <mac-address> to remove the old entry. Then connect the new device and it will be learned as the new sticky MAC.

## Practical mini-lesson

Sticky MAC address is a feature that sits on top of switch port security. In practice, it is one of the first security measures a network administrator will configure on access layer switches in a campus network. The reason is simple: it provides a baseline level of protection against unauthorized physical access without needing a lot of manual work. To configure it, you must be in interface configuration mode for the switch port connected to the end device. The typical sequence of commands is as follows. First, enter interface configuration mode for the specific port, for example interface gigabitethernet 0/1. Then enable port security with switchport port-security. Next, set the maximum number of allowed devices, usually 1, with switchport port-security maximum 1. Then set the violation mode to shutdown with switchport port-security violation shutdown. Finally, enable sticky learning with switchport port-security mac-address sticky. After these commands, when a device is connected and sends traffic, the switch will learn its MAC address and the sticky entry will appear in the running configuration. Professionals need to know that this does not protect against a scenario where an attacker unplugs the authorized device, connects their own device, and that own device is the first device to send traffic after the port comes up. In that case, the attacker's device would be learned as the sticky MAC. This is a window of vulnerability. To close that window, you might pre-configure a static sticky entry manually using switchport port-security mac-address sticky <mac> on the assumption that you know the correct MAC address beforehand. Alternatively, you can combine sticky MAC with 802.1X authentication. When 802.1X is used, the port remains in an unauthorized state until the device authenticates, so a spoofed MAC alone is not enough to gain access. What can go wrong in practice is that a network administrator might configure sticky MAC on a trunk port or on a port that connects to another switch. This is a serious mistake because a switch will send frames with many different source MAC addresses from all devices behind it. The trunk port will quickly exceed the maximum MAC limit and shut down, taking down the entire segment. Therefore, sticky MAC is intended only for access ports that connect to end devices like PCs, printers, IP phones, or cameras. Another common issue is that if a switch port is configured with voice VLAN, the IP phone and the PC behind it will have two different MAC addresses. In that case, the maximum must be set to at least 2, and the sticky feature will learn both. The administrator must be aware that the phone's MAC address will be learned first because it boots up faster, and then the PC's MAC address will be learned second. If the maximum is set to 1, the PC will cause a violation. So planning for the correct maximum is critical. Finally, troubleshooting sticky MAC issues involves checking the port status. If the port shows err-disabled, use show interfaces status to confirm. Then use show port-security interface to see the last violation source MAC. After that, the administrator must decide whether to clear the sticky entry and re-enable the port with shutdown followed by no shutdown, or to manually add the new MAC address as sticky. The practical takeaway is that sticky MAC is a useful but imperfect tool that requires careful design and ongoing management.

## Commands

```
interface GigabitEthernet0/1
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
```
Enables port security and sticky MAC learning on an access port. The switch will automatically learn and store the first MAC address seen.

*Exam note: This is the foundational configuration for sticky MAC. The CCNA exam tests the exact sequence and the fact that the port must be in access mode first.*

```
switchport port-security maximum 2
```
Sets the maximum number of secure MAC addresses allowed on the port to 2, commonly used for ports with a VoIP phone and a connected PC.

*Exam note: Tests understanding of maximum limits for multi-device ports. The CCNA often asks about the correct value for phone+PC scenarios.*

```
switchport port-security violation restrict
```
Configures the port to drop unauthorized traffic and send syslog messages without shutting down the port.

*Exam note: Restrict mode is frequently tested in Security+ and CCNA as the logging-oriented violation mode that balances security and uptime.*

```
switchport port-security mac-address sticky 0011.2233.4455
```
Manually configures a specific sticky MAC address on the port before it is even learned, useful for pre-authorizing critical devices.

*Exam note: This command tests the ability to pre-populate sticky entries. The exam may ask why you would do this instead of relying on dynamic learning.*

```
no switchport port-security mac-address sticky 0011.2233.4455
```
Removes a specific sticky MAC address from the port's secure list without disabling port security entirely.

*Exam note: Candidates must know this to replace a device. The Network+ exam may present a scenario where a MAC must be removed individually.*

```
clear port-security sticky interface GigabitEthernet0/1
```
Clears all sticky MAC addresses learned on the specified interface, reverting it to a clean state for new learning.

*Exam note: This is used after a device swap. The CCNA exam tests the difference between clearing sticky vs. clearing the entire MAC address table.*

```
show port-security interface GigabitEthernet0/1
```
Displays detailed status including secure MAC addresses, violation count, and sticky learning status for a specific port.

*Exam note: This verification command appears in almost every Layer 2 security exam. It tests the ability to read output and identify sticky entries.*

```
errdisable recovery cause psecure-violation interval 300
```
Enables automatic recovery from error-disabled state caused by a port security violation after 300 seconds (5 minutes).

*Exam note: The AZ-104 and CCNA exams may ask about auto-recovery for port security. Understand that this applies globally.*

## Troubleshooting clues

- **Port goes into error-disabled state immediately after connecting a known good device** — symptom: The port's LED turns amber or off, and 'show interfaces' shows 'err-disabled'. The device does not get an IP address.. The switch port previously learned a different sticky MAC address that is saved in the running configuration. The new device's MAC does not match the existing sticky entry, triggering the violation mode (usually shutdown). (Exam clue: Exams test that an administrator must either clear the sticky MAC or use 'shutdown' / 'no shutdown' to recover and allow new learning.)
- **Sticky MAC entries are lost after a switch reboot** — symptom: After a power cycle, the switch still operates but all previously authorized devices are suddenly denied on their ports. The running config no longer shows the sticky MAC lines.. The sticky MAC addresses were only saved in the running config, not copied to the startup config. After reload, the switch loads the startup config without the sticky entries, so ports revert to an unsecured or default state. (Exam clue: This is a classic exam scenario: forgetting 'copy running-config startup-config' after enabling sticky MAC. Candidates are asked why persistence failed.)
- **Multiple devices work on a port that should allow only one sticky MAC** — symptom: An administrator set maximum MAC count to 1, but two PCs are communicating through the same port without violations.. Sticky MAC was not enabled, or the port is configured as a trunk. On trunk ports, port security applies per VLAN, and the maximum MAC count is per VLAN, not per port. Alternatively, the violation mode is set to 'protect' which silently drops but does not alert. (Exam clue: The Network+ and Security+ exams test that port security must be enabled with sticky learning explicitly. Also, trunk ports require special handling.)
- **A legitimate VoIP phone and PC work but one suddenly loses connectivity after a switch reboot** — symptom: After rebooting, the VoIP phone registers but the PC behind it cannot get an IP address. The switch port shows violation counts increasing.. If the phone connects first after reboot, the switch learns the phone's MAC as the sticky entry. The PC's MAC is then seen as unauthorized and violates the defined maximum limit (which may be set to 1). (Exam clue: Candidates should know to set the maximum MAC count to 2 for shared phone+PC ports, and use 'switchport port-security maximum 2'.)
- **Port does not learn any sticky MAC even after connecting a device** — symptom: The 'show port-security interface' shows zero secure MAC addresses, and the device works but no sticky entry is created.. The sticky keyword was not added to the port-security configuration. Only 'switchport port-security' was entered without 'mac-address sticky'. The port learns MACs dynamically but does not convert them to sticky entries. (Exam clue: Exams emphasize that the sticky command is separate. Simply enabling port security is not enough-sticky MAC learning requires the explicit 'mac-address sticky' command.)
- **Cannot remove a sticky MAC address using 'no switchport port-security mac-address sticky'** — symptom: The command appears to run without error, but the sticky MAC stays in the configuration. 'show run' still shows the entry.. The exact MAC address must be specified correctly, including proper formatting (e.g., XXXX.XXXX.XXXX). Also, the port must be in the same VLAN context. Sometimes a simple 'clear port-security sticky' on the interface resolves hidden entries. (Exam clue: This tests attention to detail: matching the exact MAC format and using the clear command when removal fails. Exams often present a simulation with a stuck entry.)
- **Port security violation occurs intermittently on a port connecting to a PC with a virtual machine** — symptom: A user reports that their PC loses network access sporadically. The switch logs show violation events at random times.. The PC has virtualization software that uses virtual NICs with different MAC addresses. Each virtual machine can send frames with its own source MAC, exceeding the configured maximum. The switch sees multiple different MACs and triggers a violation. (Exam clue: This appears in Security+ and CCNA as an example of how guest OS MACs affect port security. The solution is to increase the maximum or disable sticky for that port.)
- **After replacing a damaged switch with a new one, authorized devices are blocked** — symptom: The new switch has the same configuration file but all connected devices trigger port violations. The old switch had learned sticky MACs that are not in the new switch's config.. The sticky MAC addresses were not saved in the startup config of the old switch, or the replacement switch did not have those entries because they were dynamically learned and not stored in the configuration file transferred to the new switch. (Exam clue: This highlights the importance of saving the running config and the fact that sticky entries are not automatically transferred during switch replacement. The AZ-104 exam analogizes to cloud resource drift.)

## Memory tip

Sticky MAC is like a sticky note: the switch writes down the first MAC it sees and it sticks to that port until someone removes it.

## FAQ

**What happens to sticky MAC entries if the switch loses power?**

If the running configuration was not saved, the sticky MAC entries are lost on reboot. The switch will then learn new MAC addresses on each port as devices send traffic again.

**Can I use sticky MAC on a trunk port?**

It is not recommended. Trunk ports carry multiple VLANs and typically see many MAC addresses. Sticky MAC on a trunk would quickly exceed the maximum address limit and cause the port to shut down.

**Does sticky MAC work with wireless access points?**

Yes, if the access point is connected to a switch port. The switch will learn the MAC address of the access point itself. However, the devices connected wirelessly behind the access point will not be seen by the switch port based on their MAC addresses alone.

**How do I remove a sticky MAC address from a port?**

Enter interface configuration mode for that port and use the command no switchport port-security mac-address sticky <mac-address>. Then you can connect a new device to be learned.

**Is sticky MAC address the same as MAC address filtering?**

No. MAC address filtering is a broader concept. Sticky MAC is a specific implementation on a Cisco switch that dynamically learns and locks the MAC address to a port.

**What is the default violation mode when sticky MAC is enabled?**

The default violation mode is shutdown. In many Cisco switch configurations, if you enable port security without specifying a violation mode, it defaults to shutdown.

**Can I combine sticky MAC with 802.1X?**

Yes. In fact, combining sticky MAC with 802.1X provides stronger security. The device must authenticate via 802.1X first, and then the MAC address can be learned as sticky for future sessions.

**Does sticky MAC prevent ARP spoofing?**

No. Sticky MAC only controls which device can physically connect to a port. It does not inspect ARP traffic or prevent a device from sending fake ARP replies within the network.

## Summary

Sticky MAC address is a port security feature on network switches that dynamically learns the MAC address of a connected device and then restricts the port to only that device. It is a convenient way to enforce physical access control without manually entering each MAC address. The feature works by enabling port security on an interface, setting a maximum number of devices, and using the sticky keyword to automatically convert learned MAC addresses into secure entries that are saved in the running configuration. If an unauthorized device tries to connect, the switch can shut down the port, drop the traffic, or send an alert, depending on the violation mode configured. This makes sticky MAC a valuable tool for environments where devices are fixed and physical security is a concern, such as office cubicles, computer labs, and point-of-sale terminals. However, sticky MAC has limitations. It does not prevent MAC address spoofing. A determined attacker can bypass it by cloning the authorized MAC address. Also, the entries are lost on reboot if the configuration is not saved. Managing sticky MAC can become burdensome in environments where devices are frequently replaced or moved, because the old sticky entries must be manually cleared before new devices can be learned. For certification exams, particularly CCNA and Network+, you need to know the configuration commands, the behavior of sticky entries, the difference between sticky and static MAC addresses, and the implications of the violation modes. Exam questions often test whether you understand that sticky MAC entries are stored in the running-config and must be saved to survive a reboot. They also test your ability to troubleshoot a port that has gone into error-disabled state due to a sticky MAC violation. Sticky MAC is a foundational Layer 2 security concept that balances ease of use with effective port access control. It is not a complete security solution, but when implemented correctly and combined with other measures, it significantly reduces the risk of unauthorized physical access to the network.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/sticky-mac-address
