MAC Security

The switch maintains a database of all media access control (MAC) addresses received on all of its ports.

The switch uses the information in this database to decide whether a frame should be forwarded or filtered. MAC security (formerly known as MAC address security) allows you to control the way the FDB (forwarding database) is learned and populated. For more information, see FDB.

MAC security includes several types of control. You can:
  • Limit the number of dynamically learned MAC addresses allowed per virtual port. For more information, see Limiting Dynamic MAC Addresses.
  • “Lock” the FDB entries for a virtual port, so that the current entries will not change, and no additional addresses can be learned on the port. For information, see MAC Address Lockdown.


You can either limit dynamic MAC FDB entries or lockdown the current MAC FDB entries, but not both.
  • Set a timer on the learned addresses that limits the length of time the learned addresses will be maintained if the devices are disconnected or become inactive. For more information, see MAC Address Lockdown with Timeout.


    When limit-learning is configured in the port which is also associated with some other vlan where learning is disabled, then few packets with new MAC address beyond learning limit will get flooded. This flooding will take place for fraction of second until new black-hole entry is created in hardware.
  • Use ACLS to prioritize or stop packet flows based on the source MAC address of the ingress virtual LAN (VLAN) or the destination MAC address of the egress VLAN. For more information about ACL (Access Control List) policies, see Security.

  • Enhance security, depending on your network configuration, by disabling Layer 2 flooding. For more information about enabling and disabling Layer 2 flooding, see Managing Egress Flooding.