MAC Address Table

 

You can assign an address for a connected station, or let the received frames dictate the address.  To see the assigned addresses, issue the following command :

 

sh mac-address-table -for switches only, not routers   (will display only the last 3 bytes, since the first 3 are vendor-specific and not needed to be able to differentiate the addresses)

 

Types of assignable MAC addresses to switch ports (usually one hub with multiple end workstations is wired to one switch port – servers often bypass a hub and take up one switch port all to themselves) –

 

 

Dynamic  -  the switch learns the MAC addresses of the sending station as frames are received.  They time out with disuse and are cleared when table is cleared.

Permanent – static, manually entered – never time out, never cleared with table clear.  Can manually remove.  Associated with one port only.

Restricted - static, manually entered, restriction says that frames must enter via specific ports

 

Port Security – feature that allows you to enter a max number of MAC addresses allowed per port in the MAC table

 

Example

Assign a permanent MAC (xxxx.xxxx.xxxx.0200.2222.2222) address to a server connected to the first ethernet port (out of 3 total) on the switch.  Then set a port security count to 3 (for any port, the table can have up to 3 MAC address entries) :

 

mac-address-table permanent 0200.2222.2222 ethernet 0/3

port secure max-mac-count 3

 

Address Violation

If a source sends a frame to a port which has already reached it’s max in the port config table is called an “address violation”.  A command is used to specify what action to take.  There are 3 possible actions – suspend, ignore, or disable :

 

  1. suspend – temporarily shut down the port but continue listening - re-activate the port when a frame is received from a valid source

  2. disabled – shut down the port until someone manually reactivates it with a command

  3. ignore – ignore the security violation and keep the port enable

 

            address-violation {suspend |  diable  |  ignore}

 

to return switch to it’s default (suspend) :

 

            no address-violation