Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A port-security feature that dynamically learns a device's MAC address and pins it to a switch port, blocking unauthorized devices from connecting.
Sticky MAC Definition: A port-security feature that dynamically learns a device's MAC address and pins it to a switch port, blocking unauthorized devices from connecting.
Sticky MAC is a switch port-security feature that dynamically learns the MAC address of the first device (or devices) connected to a port and then binds that address to the port. Only frames from the learned MAC addresses are forwarded; any other device plugged into the port is treated as a violation and blocked.
It works as part of port security on switches such as Cisco IOS. When configured with switchport port-security mac-address sticky, the switch captures source MAC addresses as traffic arrives and writes them into the running configuration as secure entries. The administrator sets a maximum number of allowed addresses and a violation action—protect, restrict, or shutdown. Saving the configuration makes the learned addresses persistent, so the port stays locked to those devices across reboots without manual MAC entry.
This matters because open access ports in lobbies, conference rooms, or unused offices are a common entry point for attackers and unauthorized devices. Sticky MAC provides lightweight Layer 2 access control without the overhead of full 802.1X, defending against MAC flooding and rogue device attachment. Its weakness is MAC spoofing: an attacker who clones an authorized address can still bypass it, so it is best layered with 802.1X or DHCP snooping for stronger assurance.
For example, a retail company enables sticky MAC on the access ports serving point-of-sale terminals, with a maximum of one address and a violation action of shutdown. When the legitimate terminal connects, its MAC is learned and saved. If a staff member later unplugs the terminal and connects a personal laptop, the switch detects the unknown MAC, places the port in err-disabled state, and logs the event for the security team to investigate.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →