Static MAC Address Table Entry

Normally your switch will automatically learn MAC addresses and fill its MAC address table (CAM table) by looking at the source MAC address of incoming frames and flooding frames if it doesn’t know where to forward the frame.

This process is vulnerable to layer 2 MAC address spoofing attacks where an attacker spoofs a certain MAC address to change entries in the MAC address table. A really simple method to deal with this issue is to manually configure entries in the MAC address table, a static entry will always overrule dynamic entries. You can either specify the interface where the MAC address is located or tell the switch to drop the traffic.

Let’s look at an example!

R1 SW1 Static MAC Entry

To demonstrate this we only require two devices. A router to generate some traffic and a switch to look at (and configure) the MAC address table. Here’s the configuration:

R1(config)#interface fastEthernet 0/0
R1(config-if)#no shutdown
R1(config-if)#ip address 192.168.12.1 255.255.255.0
SW1(config)#interface vlan 1
SW1(config-if)#no shutdown
SW1(config-if)#ip address 192.168.12.2 255.255.255.0

We’ll do a quick ping to generate some traffic so SW1 can learn about the mac address of R1’s FastEthernet 0/0 interface:

R1#ping 192.168.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

Let’s take a look at the MAC address table:

SW1#show mac address-table dynamic vlan 1
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    001d.a18b.36d0    DYNAMIC     Fa0/1
Total Mac Addresses for this criterion: 1

Here’s the MAC address of R1, learned dynamically. Let’s turn this into a static entry:

SW1(config)#mac address-table static 001d.a18b.36d0 vlan 1 interface fastEthernet 0/1

Use the mac address-table static command to create a static entry. Here’s what the MAC address table looks like now:

SW1#show mac address-table static | include Fa0/1
   1    001d.a18b.36d0    STATIC      Fa0/1

There it is, a static entry. No way to overrule this unless you have access to our switch. This prevents us from moving R1 to another interface on SW1 unless we change the static entry. Like I mentioned before we can also change a static entry so it will drop all traffic. Here’s how to do it:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 740 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

556 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Note: You can also put multicast MACs into CAM assuming IGMP snooping is disabled for that VLAN. Can be used to control where multicast is flooded (useful to control where link-local messages go, since IGMP snooping does not control these) or simply to drop it.

  2. Isn’t configuring port-security another way to fulfill the same security measure?

  3. Port-security lets us set a limit on the number of MAC addresses per interface or you could configure the interface so only 1 certain MAC address is allowed. Both are done on an interface level while this method is done globally on the switch.

  4. Is there a way to view the drops from that mac address?

  5. Hmm I don’t think you can see specific drops for a MAC address.

40 more replies! Ask a question or join the discussion by visiting our Community Forum