To define the action on multicast reserved-address packets, use the bridge multicast reserved-address Global Configuration mode command.

Syntax

bridge multicast reserved-address mac-multicast-address {discard | bridge}

Parameters

mac-multicast-address—Multicast MAC address to be reserved.

bridge—Forwards the packets.

discard—Discards the packets.

Default Configuration

If the MAC address is not used by any protocol, the default action is bridge.

Command Mode

Global Configuration mode

User Guidelines

The configurations (that contain service type) have precedence over less specific configurations (that contain only MAC address).

The packets that are bridged are subject to security ACLs.

The action defined by this command has precedence over the forwarding rules defined by the applications or protocols (such as STP and LLDP) supported on the switch.

Example

switchxxxxxx(config)# bridge multicast reserved-address 00:3f:bd:45:5a:b1 discard

To clear the learned entries from the forwarding database (FDB), use the clear mac address-table Privileged EXEC command.

Syntax

clear mac address-table dynamic [interfaces interface-id | vlan vlan-id]

Parameters

interfaces interface-id—(Optional) Deletes all dynamic (learned) addresses on specific interfaces. The interface can be one of these types: Ethernet port, or port channel.

vlan vlan-id—(Optional) Deletes all secure addresses learned on a VLAN.

Default Configuration

If no interface or VLAN is specified, all entries in the dynamic MAC address table will be cleared.

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# clear mac address-table dynamic interfaces gi11

To set the aging time of the MAC address table, use the mac address-table aging-time Global Configuration mode command.

Syntax

mac address-table aging-time seconds

Parameters

seconds—The time in seconds that an entry remains in the MAC address table. (Range:10 to 1000000 seconds, 0 indicates no aging)

Default Configuration

The default aging time is 300 seconds.

Command Mode

Global Configuration mode

Example

switchxxxxxx(config)# mac address-table aging-time 600

To add a MAC-layer station source address to the MAC address table, use the mac address-table static Global Configuration mode command.

To delete a MAC address from the MAC address table, use the no form of this command.

Syntax

mac address-table static mac-address vlan vlan-id interfaces interface-id [delete-on-reboot | delete-on-timeout | permanent | secure]

mac address-table static mac-address vlan vlan-id drop

no mac address-table static mac-address vlan vlan-id

Parameters

mac-address—MAC address of the interface.

vlan vlan-id—VLAN ID for the interface.

interfaces interface-id—Specifies an interface ID or a list of interface IDs. The interface can be one of these types: Ethernet port or port channel.

delete-on-reboot—(Optional) Specifies that the static MAC address is never aged out of the table and will be deleted after the switch reboots.

delete-on-timeout—(Optional) Deletes the MAC address when aging occurs.

permanent—(Optional) Specifies that the static MAC address never be aged out of the table and if it is saved to the Startup Configuration, it is retained after rebooting. The keyword is applied by the default.

secure—(Optional) Specifies that the MAC address is secure when the interface is in classic locked mode.

drop—Drops the packets with the specified source or destination unicast MAC address.

Default Configuration

No static addresses are defined. The default mode for an added address is permanent.

Command Mode

Global Configuration mode

User Guidelines

Use the command to add a static MAC address with the given time-to-live in any mode or to add a secure MAC address in a secure mode.

Each MAC address in the MAC address table is assigned two attributes: type and time-to-live.

The following time-to-live values are supported:

• delete-on-reboot—A MAC address is saved until the next reboot.

• delete-on-timeout—A MAC address that may be removed by the aging timer.

• permanent—A MAC address is saved until it is removed manually.

The following types are supported:

• static— MAC address is manually added by the command with the following keywords specifying its time-to-live:

  • permanent

  • delete-on-reboot

  • delete-on-timeout

    A static MAC address may be added in any port mode.

• secure—A MAC address added manually or learned in a secure mode. Use the mac address-table static command with the secure keyword to add a secure MAC address. The MAC address cannot be relearned. A secure MAC address may be added only in a secure port mode.

• dynamic—A MAC address learned by the switch in nonsecure mode. A value of its time-to-live attribute is delete-on-timeout.

Examples

Example 1—The following example adds two permanent static MAC addresses:

switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b1 vlan 1 interfaces gi1
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interfaces gi1 permanent

Example 2—The following example adds a deleted-on-reboot static MAC address:

switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interfaces gi1 delete-on-reboot

Example 3—The following example adds a deleted-on-timeout static MAC address:

switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interfaces gi1 delete-on-timeout

Example 4—The following example adds a secure MAC address:

switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interfaces gi1 secure

To show information for all reserved MAC addresses, use the show bridge multicast reserved-address Privileged EXEC mode command.

Syntax

show bridge multicast reserved-address

Command Mode

Privileged EXEC mode

Example

switchxxxxxx # show bridge multicast reserved-address
Reserved mac-address | action
---------------------+---------
  01:80:C2:00:00:02   |  peer
  01:80:C2:00:00:03   |  bridge
  01:80:C2:00:00:04   |  bridge
  01:80:C2:00:00:05   |  bridge
  01:80:C2:00:00:06   |  bridge
  01:80:C2:00:00:07   |  bridge
  01:80:C2:00:00:08   |  bridge
  01:80:C2:00:00:09   |  bridge
  01:80:C2:00:00:0A   |  bridge
  01:80:C2:00:00:0B   |  bridge
  01:80:C2:00:00:0C   |  bridge
  01:80:C2:00:00:0D   |  bridge
  01:80:C2:00:00:0E   |  bridge
  01:80:C2:00:00:0F   |  bridge
  01:80:C2:00:00:10   |  bridge
  01:80:C2:00:00:11   |  bridge
  01:80:C2:00:00:12   |  bridge
  01:80:C2:00:00:13   |  bridge
  01:80:C2:00:00:14   |  bridge
  01:80:C2:00:00:15   |  bridge
  01:80:C2:00:00:16   |  bridge
  01:80:C2:00:00:17   |  bridge
  01:80:C2:00:00:18   |  bridge
  01:80:C2:00:00:19   |  bridge
  01:80:C2:00:00:1A   |  bridge
  01:80:C2:00:00:1B   |  bridge
  01:80:C2:00:00:1C   |  bridge
  01:80:C2:00:00:1D   |  bridge
  01:80:C2:00:00:1E   |  bridge
  01:80:C2:00:00:1F   |  bridge
  01:80:C2:00:00:20   |  bridge
  01:80:C2:00:00:21   |  bridge
  01:80:C2:00:00:22   |  bridge
  01:80:C2:00:00:23   |  bridge
  01:80:C2:00:00:24   |  bridge
  01:80:C2:00:00:25   |  bridge
  01:80:C2:00:00:26   |  bridge
  01:80:C2:00:00:27   |  bridge
  01:80:C2:00:00:28   |  bridge
  01:80:C2:00:00:29   |  bridge
  01:80:C2:00:00:2A   |  bridge
  01:80:C2:00:00:2B   |  bridge
  01:80:C2:00:00:2C   |  bridge
  01:80:C2:00:00:2D   |  bridge
  01:80:C2:00:00:2E   |  bridge

To show the entries in the MAC address table, use the show mac address-table Privileged EXEC command.

Syntax

show mac address-table [dynamic | static] [interfaces interface-id] [vlan vlan]

show mac address-table [mac-address] [vlan vlan]

Parameters

dynamic—(Optional) Displays only dynamic MAC addresses.

static—(Optional) Displays only static MAC addresses.

interfaces interface-id—(Optional) Displays the entries for a specific interface. The interface can be one of these types: Ethernet port or port channel.

vlan vlan—(Optional) Displays the entries for a specific VLAN.

mac-address—(Optional) Entries for a specific MAC address.

Default Configuration

If no parameters are entered, the entire table is displayed.

Command Mode

Privileged EXEC mode

User Guidelines

Internal usage VLANs that are automatically allocated on the routed ports are presented in the VLAN column by a port number and not by a VLAN ID.

Example

Example 1—Displays the entire MAC address table:

switchxxxxxx# show mac address-table
VID   |    MAC Address    |      Type      |   Ports
-----+-------------------+--------------+----------------
    1 | 00:03:6D:00:01:20 |   Management   | CPU
    1 | 00:10:60:DB:6E:FE |     Dynamic    | fa1
    1 | 10:8C:CF:CD:0C:05 |     Dynamic    | fa1
Total number of entries: 3

Example 2—Displays the address entries containing the specified MAC address:

switchxxxxxx# show mac address-table 00:3f:bd:45:5a:b1 vlan 1
Aging time is 300 sec
VLAN       MAC Address           Port           Type
-------- ------------------   ------------ ----------
1          00:3f:bd:45:5a:b1    static         fa9

To show the MAC address aging time, use the show mac address-table aging-time Privileged EXEC mode command.

Syntax

show mac address-table aging-time

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

switchxxxxxx # show mac address-table aging-time
Mac Address Table aging time:  300

To show the port security status, use the show port-security Privileged EXEC mode command.

Syntax

show port-security interfaces interface-id

Parameters

interfaces interface-id—Specifies an Ethernet interface ID or a list of Ethernet interface IDs.

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show port-security interfaces fa1-10
  Port    |   Mode  |     Security     | CurrentAddr |        Action        | Trap Freq
---------+---------+---------------+-------------+-------------------+-----------
     fa1  | Classic |     Disabled     |        3    |               Discard|      ---
     fa2  | Classic |     Disabled     |        0    |               Discard|      ---
     fa3  | Classic |     Disabled     |        0    |               Discard|      ---
     fa4  | Classic |     Disabled     |        0    |               Discard|      ---
     fa5  | Classic |     Disabled     |        0    |               Discard|      ---
     fa6  | Classic |     Disabled     |        0    |               Discard|      ---
     fa7  | Classic |     Disabled     |        0    |               Discard|      ---
     fa8  | Classic |     Disabled     |        0    |               Discard|      ---
     fa9  | Classic |     Disabled     |        0    |               Discard|      ---
    fa10  | Classic |     Disabled     |        0    |               Discard|      ---

The following table describes the significant fields shown in the example:

To enable the port security on an interface, use the switchport port-security Interface Configuration mode command.

To disable the port security on an interface, use the no form of this command.

Syntax

switchport port-security

no switchport port-security

Parameters

N/A

Default Configuration

The port security is disabled by default.

Command Mode

Interface Configuration mode

Example

switchxxxxxx(config)# interface gi1
switchxxxxxx(config-if)# switchport port-security

To set the port security learning mode and the maximum number of MAC addresses that can be learned on an interface, use the switchport port-security mode maximum Interface Configuration mode command.

To revert to its default settings, use the no form of this command.

Syntax

switchport port-security mode {classic | dynamic} maximum max-addr action
{ discard | {discard-snmp-log trap-freq seconds} |
{discard-snmp-log-shutdown trap-freq seconds} | forward}

no switchport port-security maximum

Parameter

• classic— Classic lock. All learned MAC addresses on the port are locked and the switch learns up to the maximum number of addresses allowed on the port. The learned addresses are not subject to aging or re-learning.

• dynamic— Limited dynamic lock. The switch learns MAC addresses up to the configured limit of allowed addresses. After the limit is reached, the switch does not learn additional addresses. In this mode, the addresses are subject to aging and relearning.

• max-addr—Maximum number of MAC addresses that can be learned on the port.

• action— The action to be applied to the packets arriving on a locked port.

  • discard—Discards the packets with unlearned source addresses.

  • discard-snmp-log—Discards the packets with unlearned source addresses, an SNMP trap is sent, and a SYSLOG message is logged.

  • discard-snmp-log-shutdown—Discards the packets with unlearned source addresses, an SNMP trap is sent, a SYSLOG message is logged, and shuts down the port.

  • forward—Forwards the packets with unlearned source addresses, but does not learn the address.

• trap-freq seconds—Sends SNMP traps and specifies the minimum time interval in seconds between consecutive traps. (Range: 1 to 1000000)

Default Configuration

The feature is disabled by default.

The default mode is discard.

The default number of seconds is zero, but if discard-snmp-log or discard-snmp-log-shutdown is entered, trap-freq seconds must also be entered.

Command Mode

Interface Configuration mode

User Guidelines

The command may be used only when the interface is in the regular mode (nonsecure with unlimited MAC learning).

See the mac address-table static command for information about MAC address attributes (type and time-to-live).

When the switchport port-security command enables the lock mode on a port, all dynamic addresses learned on the port are changed to permanent secure addresses.

When the switchport port-security command enables a mode on a port differing from the lock mode, all addresses learned on the port are deleted.

When the no switchport port-security maximum command cancels a secure mode on a port, all secure addresses defined on the port are deleted.

Example

The following example discards all packets to gi11 when the learning reaches the address limit (50) without learning any more addresses of packets from unknown sources, and sends the SNMP traps every 100 seconds if a packet with an unknown source address is received.

switchxxxxxx(config)interface gi11
switchxxxxxx(config-if)# switchport port-security mode classic maximum 50 action discard-snmp-log trap-freq 100