CCIE 400-101: Layer 2 Technologies - Managing MAC address table, errdisable recovery, L2 MTU

Managing MAC address table

  • The MAC address table contains address information that the switch uses to forward traffic between ports. 
  • Two types of addresses: 
    • Dynamic: a source MAC address that the switch learns from incoming frames and then ages out when it is not in use. 
    • Static: a manually entered address that does not age and is not lost when the switch reloads. 
  • The MAC address table also lists the associated VLAN ID and the port number with the MAC address. 
  • By default, MAC address learning is enabled on all interfaces and VLANs on the switch. 
  • MAC address learning can be disabled (except for internal VLANs) but it is not recommended. 
  • Cisco guides that you could disable MAC address learning only in VLANs with two ports. If you disable MAC address learning on a VLAN with more than two ports, every packet entering the switch is flooded in that VLAN domain. 
  • MAC address learning can be disabled for a single VLAN or a range of VLANs with one command. 
  • The same principle applies to interfaces. 
  • Example: no mac address-table learning vlan 223 or no mac address-table learning vlan 1-10,15.
  • The show mac address-table command with different parameters displays information about the MAC address table.


Switch# show mac-address-table

Dynamic Addresses Count:               9
Secure Addresses (User-defined) Count: 0
Static Addresses (User-defined) Count: 0
System Self Addresses Count:           41
Total MAC addresses:                   50
Non-static Address Table:
Destination Address  Address Type  VLAN  Destination Port
-------------------  ------------  ----  --------------------
0010.0de0.e289       Dynamic          1  FastEthernet0/1
0010.7b00.1540       Dynamic          2  FastEthernet0/5
0010.7b00.1545       Dynamic          2  FastEthernet0/5
0060.5cf4.0076       Dynamic          1  FastEthernet0/1
0060.5cf4.0077       Dynamic          1  FastEthernet0/1
0060.5cf4.1315       Dynamic          1  FastEthernet0/1
0060.70cb.f301       Dynamic          1  FastEthernet0/1
00e0.1e42.9978       Dynamic          1  FastEthernet0/1
00e0.1e9f.3900       Dynamic          1  FastEthernet0/1 

errdisable recovery

  • Errdisable is a feature that automatically disables a port if the software detects an error situation on the port.
  • This means that the configuration shows the port to be enabled but IOS has effectively shut it down and no traffic is sent or received on the port.
  • To determine if a port has been error disabled, use the show interfaces command.


cat6knative#show interfaces gigabitethernet 4/1 status

Port    Name       Status       Vlan       Duplex  Speed Type
Gi4/1              err-disabled 100          full   1000 1000BaseSX

  • There are various reasons for the interface to go into errdisable. The reason can be:
    • Duplex mismatch
    • Port channel misconfiguration
    • BPDU guard violation
    • UniDirectional Link Detection (UDLD) condition
    • Late-collision detection
    • Link-flap detection
    • Security violation
    • Port Aggregation Protocol (PAgP) flap
    • Layer 2 Tunneling Protocol (L2TP) guard
    • DHCP snooping rate-limit
    • Incorrect GBIC / Small Form-Factor Pluggable (SFP) module or cable
    • Address Resolution Protocol (ARP) inspection
    • Inline power
  • To disable error-disable detection, use the no errdisable detect cause command.
  • The show errdisable detect command displays the error-disable detection status.
  • When the switch puts a port in the error-disabled state, the switch sends a message to the console that describes why it disabled the port.


   Received BPDU on port GigabitEthernet4/1 with BPDU Guard enabled. Disabling port.

  • To recover a port in the errdisabled state, manual intervention is required. The administrator must issue shutdown and no shutdown on the port.
  • If enabled, errdisable recovery can automatically re-enable a port after a timeout period.
  • The errdisable recovery feature is disabled by default.
  • The default timeout interval is 300 seconds and, by default, the timeout feature is disabled. If any one of the errdisable recovery conditions is enabled, the ports with this condition are reenabled after 300 seconds.
  • To simultaneously enable errdisable autorecovery for all supported features, use errdisable recovery cause all. The timeout period can be adjusted with the errdisable recovery interval <sec> command.


cat6knative#show errdisable recovery
ErrDisable Reason    Timer Status
-----------------    --------------
udld                 Enabled
bpduguard            Enabled
security-violatio    Enabled
channel-misconfig    Enabled
pagp-flap            Enabled
dtp-flap             Enabled
link-flap            Enabled
l2ptguard            Enabled
psecure-violation    Enabled
gbic-invalid         Enabled
dhcp-rate-limit      Enabled
mac-limit            Enabled
unicast-flood        Enabled
arp-inspection       Enabled

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

Interface      Errdisable reason      Time left(sec)
---------    ---------------------    --------------
  Fa2/4                bpduguard          273

  • If any ports have been errdisabled, they will be shown at the end of show errdisable recovery output with the timeout left.
  • To fully recover a port from the errdisabled state is to find and correct the root cause.
  • If you reenable the port before you fix the root problem, the port just becomes error disabled again.


  • MTU is the maximum size of the packet that can still be sent on a data link without fragmentation. 
  • Encapsulations and type of transmission medium affect the MTU. 
  • The MTU of a higher layer must fit within the payload of the lower layer. 
  • Classic IOS and IOS XR configure the MTU differently. 
  • For instance, on IOS XR the mtu command, which sets the L2 MTU, includes the 14-byte L2 header (6-byte src MAC, 6-byte dst MAC, and 2-byte EtherType) for an Ethernet interface (without dot1q), or 4 bytes for Point-to-Point Protocol (PPP) or high-level data link control (HDLC). 
  • If the interface MTU of a non-dot1q Ethernet interface is the default of 1514 bytes, then higher layer protocols such MPLS can have a maximum MTU of 1500 bytes on that interface. This means you can fit only a 1500 byte MPLS frame (including labels) inside the Ethernet frame. You cannot configure a 1508 byte MPLS MTU on that interface if you want to allow two MPLS tags on top of a 1500 byte IPv4 packet. In order to transmit a 1508 byte MPLS frame on an Ethernet interface, the interface MTU must be increased to 1522, or higher value, in order to ensure that the L2 interface payload is large enough to carry the MPLS frame. 
  • See: MTU Behavior on Cisco IOS XR and Cisco IOS Routers.


Errdisable Port State Recovery on the Cisco IOS Platforms.