CCIE Routing & Switching v5 Workbook -
CCIE R&S v5 Advanced Technology Labs -
LAN Switching
MAC-Address Table Static Entries and Aging
You must load the initial configuration files for the section, LAN
Switching Initial Spanning Tree, which can be found in
. Reference
the Virtual Routers & Physical Switches Diagram to complete this
task.
Task
Shut down all Ethernet links from SW4 toward SW2 and SW3.
Shut down ports Fa0/19 and Fa0/23 on SW1.
Create an SVI for VLAN 10 on SW1 and assign it the IP address 169.254.23.1/24.
Configure Fa0/20 and Fa0/24 on SW1 as access ports in VLAN 10.
Configure port Fa0/20 on SW3 and Fa0/24 on SW2 as Layer 3 ports with IP
addresses of 169.254.23.Y/24, where Y is the switch number.
Configure static CAM entries on SW1 as follows:
Frames destined to the MAC address of SW2’s Layer 3 interface are
dropped.
SW3’s MAC address is not allowed to commute between ports or switches.
Configuration
SW4:
interface range FastEthernet0/19 - 20 , FastEthernet0/23 - 24
shutdown
SW1:
interface range FastEthernet0/19 , FastEthernet0/23
shutdown
!
default interface range FastEthernet0/20 , FastEthernet0/24
!
interface range FastEthernet0/20 , FastEthernet0/24
switchport mode access
switchport access vlan 10
!
interface Vlan10
ip address 169.254.23.1 255.255.255.0
no shutdown
!
mac address-table static 0022.5627.1fc1 vlan 10 interface FastEthernet0/20
mac address-table static 000a.b832.3ac1 vlan 10 drop
SW2:
interface FastEthernet0/24
no switchport
ip address 169.254.23.2 255.255.255.0
SW3:
interface FastEthernet0/20
no switchport
ip address 169.254.23.3 255.255.255.0
Verification
Normally, switches populate the CAM table, or MAC address table, by flooding
unknown frames everywhere in the VLAN in which they were received and by
looking at the source MAC address of frames received in its ports. In certain
circumstances this can be undesirable, such as when someone attempts to do a
Layer 2 MAC address spoofing attack. A simple way to prevent these types of
attacks is to statically hard-code which MAC addresses are reachable via which
ports.
Another static feature of the CAM table is the ability to Null route MAC addresses.
Because static entries always override dynamically learned entries, if the drop
keyword or an unused interface is used in the
mac address-table static
command,
traffic destined to that MAC address will be silently dropped.
In this particular design, SW1, SW2, and SW3 exchange traffic on VLAN 10. Before
configuring static MAC entries, SW1 has connectivity with both SW2 and SW3.
SW1#ping 169.254.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.23.2, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
!
!SW1#ping 169.254.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.23.3, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms
SW1 dynamically learns the MAC addresses of both SW2 and SW3.
SW1#show ip arp
Protocol
Address
Age (min)
Hardware Addr Type
Interface
Internet
169.254.23.1
-
0013.605f.f041 ARPA
Vlan10Internet
169.254.23.246 000a.b832.3ac1
ARPA Vlan10Internet169.254.23.346 0022.5627.1fc1
ARPA Vlan10
!
!SW1#show mac address-table dynamic address 000a.b832.3ac1
Mac Address Table
-------------------------------------------
VlanMac Address
Type
Ports
---------------
--------
-----10 000a.b832.3ac1 DYNAMICFa0/24
Total Mac Addresses for this criterion: 1
!
!SW1#show mac address-table dynamic address 0022.5627.1fc1
Mac Address Table
-------------------------------------------
VlanMac Address
Type
Ports
---------------
--------
-----10 0022.5627.1fc1 DYNAMICFa0/20
Total Mac Addresses for this criterion: 1
After SW1 is configured with static entries for both SW2 and SW3, these will
override the dynamically learned ones. The result is that any traffic destined to SW2
is dropped in the Layer 2 transit path by SW1.
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#mac address-table static 000a.b832.3ac1 vlan 10 drop
!
!SW1#ping 169.254.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.23.2, timeout is 2 seconds:.....
Success rate is 0 percent (0/5)
!
!SW1#show mac address-table address 000a.b832.3ac1
Mac Address Table
-------------------------------------------
VlanMac Address
Type
Ports
---------------
--------
-----10 000a.b832.3ac1 STATICDrop
Total Mac Addresses for this criterion: 1
Likewise, as soon as we add the static entry for SW3’s Layer 3 interface, traffic
going to SW3 uses the static entry instead of the dynamically learned entry.
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#mac address-table static 0022.5627.1fc1 vlan 10 interface FastEthernet0/20
!
!SW1#ping 169.254.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.23.3, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
!
!SW1#show mac address-table address 0022.5627.1fc1
Mac Address Table
-------------------------------------------
VlanMac Address
Type
Ports
---------------
--------
----- 10 0022.5627.1fc1STATIC
Fa0/20
Total Mac Addresses for this criterion: 1