Context
To keep its MAC address table current, a switch learns source MAC addresses of packets. However, the switch cannot distinguish packets from authorized and unauthorized users, leading to security risks. For example, if an unauthorized user spoofs the MAC address of an authorized user and connects to another interface of the switch, the switch learns an incorrect MAC address entry. As a result, packets destined for the authorized user are forwarded to the unauthorized user. To address this issue, create static MAC address entries to bind MAC addresses of authorized users to specified interfaces.
Static MAC address entries have the following characteristics:
- A static MAC address entry will not be aged out. After being saved, a static MAC address entry will not be lost after a system restart, and can only be deleted manually.
- The VLAN bound to a static MAC address entry must have been created and assigned to the interface bound to the entry.
- The MAC address in a static MAC address entry must be a unicast MAC address, and cannot be a multicast or broadcast MAC address.
- A static MAC address entry takes precedence over a dynamic MAC address entry. The system discards packets with flapping static MAC addresses.
Verifying the Configuration
Run the display mac-address static command to check configured static MAC address entries.