# Go back one pageGo to the next page#Go to this book's Index

MAC learning

This security feature for high-security environments restricts access to the network based on the layer 2 media access control (MAC) address of the network devices connected to the Passport routing switch. This feature is enabled per port. (Refer to MAC Learning tab for information about enabling MAC learning at the port level.) The idea of Unknown MAC Discard is that any frame originating from or destined to a MAC address that is not known by the Passport routing switch on that port is a security violation and will be dropped.

You can create a table of MAC addresses that are allowed access to the specified port. A MAC address is "known" and is forwarded normally if it has been defined in the allowed MAC table or if there is a static VLAN forwarding database (fdb) entry for the MAC address.

An allowed MAC table is created for each port and applies to all VLANs associated with that port. The table defines which MAC addresses are allowed on the port, in addition to any static MAC entries; this table is separate from the VLAN forwarding databases. Because each port has an allowed MAC table, the same MAC address can be allowed on multiple ports. This situation contrasts to a VLAN fdb, in which a given MAC address can exist on only one port for a given VLAN.

Entries are added to the allowed MAC table either manually or using AutoLearn, which is in either One-Shot AutoLearn mode or Continuous AutoLearn mode. An additional feature is the Lock AutoLearn MACs setting. These settings are described as follows:

Unknown MAC Discard is fundamentally a security feature. If a MAC address other than an allowed MAC address attempts to send traffic through the routing switch, that is considered a violation.

The three configurable actions that the switch performs when triggered by a MAC violation on a port are to log the violation, to send a trap, and to administratively down the port:


Go back one pageGo to the next page##Go to this book's Index