Configuring Cisco Switch MAC Address and Security Settings

A switch makes forwarding decisions based on the entries stored in its MAC address table. This table is built as the switch inspects the source addresses of frames as they enter the switch from devices connected to a given port. By default, a Catalyst 1900 switch can store up to 1024 entries in its MAC address table. These entries, which are added to the table automatically, are known as dynamic entries. They will exist in the MAC table until the table is manually cleared, or until a certain host is not heard from for a certain period of time – the default is 300 seconds. It is also possible to add permanent entries to the MAC address table, as we’ll see shortly.

To view the MAC address table on a Cisco 1900, issue the show mac-address-table command. The table shows not only the MAC addresses of connected devices, but also the port number they are associated with, and whether these entries are dynamic or permanent.

Cisco1912#show mac-address-table
Number of permanent addresses : 1
Number of restricted static addresses : 0
Number of dynamic addresses : 2

Address Dest Interface Type Source Interface List
0000.1223.30A5 Ethernet 0/5 Permanent All
0000.2456.110A Ethernet 0/2 Dynamic All
0000.2456.134A Ethernet 0/3 Dynamic All

Entries can be cleared from a switch’s MAC address table by issuing the clear mac-address-table command. This command has three options, including the ability to clear permanent, dynamic, and restricted entries.

Cisco1912#clear mac-address-table ?
dynamic Clear 802.1d dynamic address
permanent Clear 802.1d permanent addresses
restricted Clear 802.1d restricted static address

A common way to implement security on a Layer 2 switch is by adding permanent MAC address entries to a switch port. Although this can sometimes be a great deal of work, it does make sense in cases where you want to be sure that unknown systems can’t just plug into a switch port (probably via a wall jack) and gain access to your network. When a permanent entry is configured, only the MAC addresses entered into the table are capable of communicating via that port. The mac-address-table command is used to add permanent entries to the MAC address table, as shown below.

Cisco1912(config)#mac-address-table permanent ?
H.H.H 48 bit hardware address
Cisco1912(config)#mac-address-table permanent 0000.1234.5678 ?
Ethernet IEEE 802.3
FastEthernet FastEthernet IEEE 802.3
Cisco1912(config)#mac-address-table permanent 0000.1234.5678 e0/7

Notice that in order to add a permanent entry, you will need to supply both the MAC address of the system that will be connected, as well as the port to which this permanent entry applies.

If a dynamic MAC address entry in the table isn’t heard from within 300 seconds, the entry is flushed. The example below shows how this setting can be changed from global configuration mode.

Cisco1912(config)#mac-address-table aging-time ?
<10-1000000> Aging time value
Cisco1912(config)#mac-address-table aging-time 600

The Cisco 1900 series also includes a feature that allows you to control how many MAC addresses are allowed to be connected to a given switch port, without specifying individual MAC addresses as permanent entries. For example, let’s say that you want to avoid there ever being more than 4 systems connected on any given port. While one system per port might be optimal, this isn’t always possible based on cost factors. The maximum number of connections that can be specified per port is 132.

To configure a port such that it only allows a certain number of connections, use the port secure max-mac-count command. This command is issued from interface configuration mode.

Cisco1912(config)#interface e0/4
Cisco1912(config-if)#port secure max-mac-count ?
<1-132> Maximum mac address count for this secure port
Cisco1912(config-if)#port secure max-mac-count 4

One other option for securing a switch is to disable unused ports using the shutdown command. The command is issued in the example below, followed by the show int command. Notice that port e0/6 is listed as Disabled-management.

Cisco1912(config)#interface e0/6
Cisco1912#show int e0/6

Ethernet 0/6 is Disabled-management
Hardware is Built-in 10Base-T
Address is 0050.F05F.2506
MTU 1500 bytes, BW 10000 Kbits
802.1d STP State: Disabled Forward Transitions: 1
Port monitoring: Disabled
Unknown unicast flooding: Enabled
Unregistered multicast flooding: Enabled
Duplex setting: Half duplex
Back pressure: Disabled

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.