Skip to content

Managing Mac Address Table

Network switches will carry a table full of MAC addresses. We need to understand how to manage these addresses within the MAC address table. On Cisco hardware the command show mac address-table will show a list of MAC addresses the switch learned about on what VLAN, and the interface that learned the MAC address on. 

SW1# show mac address-table 
Legend: 
        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
        age - seconds since last seen,+ - primary entry using vPC Peer-Link,
        (T) - True, (F) - False, C - ControlPlane MAC, ~ - vsan,
        (NA)- Not Applicable A – ESI Active Path, S – ESI Standby Path
   VLAN     MAC Address      Type      age     Secure NTFY Ports
---------+-----------------+--------+---------+------+----+------------------
*    1     5254.0009.d0e2   dynamic  NA         F      F    Eth1/1
*    1     5254.00dc.ed91   dynamic  NA         F      F    Eth1/2
G    -     52eb.9f30.1b08   static   -         F      F    sup-eth1(R)
SW1#

Tip

Remember the entire goal of a network switch is to learn MAC addresses. So if the MAC address is not directly connected to the switch and connected to a downstream or upstream switch you will see that MAC address on the interface that the downstream/upstream is connected to. As well as other MAC addresses that have been learned from that downstream or upstream switch as long as these switches have a common VLAN they are sharing.

Types of MAC Addresses

Dynamic: These MAC addresess are learned dynamically as traffic, "frames" passes through the switch.

Static These MAC addresses like the name suggests are configured statically. Some of these addresses can already be pre-configured by the hardware but they also can be added manually.

Aging Time

Switches don't keep MAC addresses forever there is a ageing time that can be changed with the command mac address-table aging-time. MAC addresses can also be removed from the following reasons: * If an interface goes down or is placed in a shutdown, all entries associated to this interface will be removed. * Manually clearing the mac address.

You can clear the MAC address table manually by issuing the following command clear mac address-table dynamic with options to either clear the entire table or sections of it. 

SW1# clear mac address-table dynamic ?
  <CR>       
  address    Address
  interface  Interface
  local      Clear MAC Entries Learned Locally and Not on the Overlay/VXLAN
  peer-ip    VXLAN Peer IP Address
  vlan       VLAN
  vni        VXLAN Network Identifier

Limits

Everything has limits and depending on the platform of your network switch there is a limit of how many MAC addresses a switch can handle before it turns into a hub and just forwards every frame out every port because of the dedicated memory the (CAM table) is exhausted. Usually these are pretty large values and can be checked with show mac address-table count.

This limit can be taken advantage with a table overflow attack. Flooding starts on every port in all directions and thus can be used to capture traffic. There are safe guards to prevent this.