Table of Contents
Advertisement
Performing Switch Administration
Information About Performing Switch Administration
Unicast MAC Address Filtering
When unicast MAC address filtering is enabled, the switch drops packets with specific source or destination MAC
addresses. This feature is disabled by default and only supports unicast static addresses.
Follow these guidelines when using this feature:
Multicast MAC addresses, broadcast MAC addresses, and router MAC addresses are not supported. If you specify
one of these addresses when entering the mac address-table static mac-addr vlan vlan-id drop global
configuration command, one of these messages appears:
% Only unicast addresses can be configured to be dropped
% CPU destined address cannot be configured as drop address
Packets that are forwarded to the CPU are also not supported.
If you add a unicast MAC address as a static address and configure unicast MAC address filtering, the switch either
adds the MAC address as a static address or drops packets with that MAC address, depending on which command
was entered last. The second command that you entered overrides the first command.
For example, if you enter the mac address-table static mac-addr vlan vlan-id interface interface-id global
configuration command followed by the mac address-table static mac-addr vlan vlan-id drop command, the
switch drops packets with the specified MAC address as a source or destination.
If you enter the mac address-table static mac-addr vlan vlan-id drop global configuration command followed by
the mac address-table static mac-addr vlan vlan-id interface interface-id command, the switch adds the MAC
address as a static address.
You enable unicast MAC address filtering and configure the switch to drop packets with a specific address by specifying
the source or destination unicast MAC address and the VLAN from which it is received.
MAC Address Learning on a VLAN
By default, MAC address learning is enabled on all VLANs on the switch. You can control MAC address learning on a
VLAN to manage the available MAC address table space by controlling which VLANs, and therefore which ports, can
learn MAC addresses. Before you disable MAC address learning, be sure that you are familiar with the network topology
and the switch system configuration. Disabling MAC address learning on a VLAN could cause flooding in the network.
Follow these guidelines when disabling MAC address learning on a VLAN:
Use caution before disabling MAC address learning on a VLAN with a configured switch virtual interface (SVI). The
switch then floods all IP packets in the Layer 2 domain.
You can disable MAC address learning on a single VLAN ID (for example, no mac address-table learning vlan 223)
or on a range of VLAN IDs (for example, no mac address-table learning vlan 1-20, 15).
We recommend that you disable MAC address learning only in VLANs with two ports. If you disable MAC address
learning on a VLAN with more than two ports, every packet entering the switch is flooded in that VLAN domain.
You cannot disable MAC address learning on a VLAN that is used internally by the switch. If the VLAN ID that you
enter is an internal VLAN, the switch generates an error message and rejects the command. To view internal VLANs
in use, enter the show vlan internal usage privileged EXEC command.
If you disable MAC address learning on a VLAN configured as a private-VLAN primary VLAN, MAC addresses are
still learned on the secondary VLAN that belongs to the private VLAN and are then replicated on the primary VLAN.
If you disable MAC address learning on the secondary VLAN, but not the primary VLAN of a private VLAN, MAC
address learning occurs on the primary VLAN and is replicated on the secondary VLAN.
You cannot disable MAC address learning on an RSPAN VLAN. The configuration is not allowed.
110
- Quick Links:
- Configuration Overview
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
