How to disable MAC learning in a Linux bridge

Last updated on September 18, 2020 by Dan Nanni

Question: I am troubleshooting Ethernet bridging which I set up with a Linux bridge, and I would like to disable MAC learning on the Linux bridge. How can I do that?

An Ethernet bridge is a network component which interconnects multiple Ethernet networks by forwarding packets from one network to another. Linux has a software implementation of the Ethernet bridge (called Linux bridge) incorporated into the kernel since 2.6. A Linux bridge is often used to set up a transparent proxy/firewall, or to work as a virtual switch which interconnects multiple virtual machines and containers created on a host.

Like a hardware Ethernet bridge, a Linux bridge comes with MAC address learning capability built-in. so that it knows how (i.e., to which port) to forward a network packet.

Suppose you would like to disable MAC address learning in a Linux bridge for whatever reason. For example, you want to inject artificial traffic into the bridge for experimental purposes. Or your network is under attack; a large amount of packets with different source MAC addresses are filling up the MAC learning table. Or you want to manage MAC forwarding table on your own, without relying on the default learning table.

This post describes who to disable MAC address learning in a Linux bridge.

Note: Once MAC learning is turned off, a Linux bridge will flood every incoming packet to the rest of the ports. Understand this implication before proceeding.

MAC Address Learning vs. Ageing Time

When a Linux bridge receives a packet with a new source MAC address from a particular bridge port, it stores the MAC address along with the port number in its MAC learning table. A timer is associated with each entry in the table, so that the entry expires after a certain period (so-called ageing time), unless it is refreshed before then. By default the ageing time in a Linux bridge is set to 300 seconds.

If you want to disable MAC address learning in a Linux bridge, you need to set the ageing time to 0. Let's find out how you can actually do it.

Disable MAC Address Learning in a Linux Bridge from the Command Line

Without disabling MAC learning, a Linux bridge will learn and store one or more non-local MAC addresses in the MAC learning table. To check the current MAC learning table:

$ sudo brctl showmacs <bridge-interface>

To view the current ageing time of a bridge, run:

$ brctl showstp <bridge-interface>

To turn off the bridge's MAC address learning, set its ageing time to 0 as follows.

$ sudo brctl setageing <bridge-interface> 0

Once MAC learning is deactivated, the bridge's MAC learning table will no longer contain any non-local MAC address.

Note that any change made with the brctl command (including MAC learning deactivation) does not survive reboots. If you want to turn off MAC learning permanently, read on.

Disable MAC Address Learning in a Linux Bridge Permanently

If you configured a Linux bridge in /etc/network/interfaces (e.g., on Debian-based system), add bridge_ageing 0 under the bridge configuration. For example:

auto br0
iface br0 inet static
    bridge_ports eth0 eth1
    bridge_ageing 0
    address 192.168.1.100
    netmask 255.255.255.0
    gateway 192.168.1.1

If you configure a Linux bridge with Network Manager, set Aging time to 0 in the bridge editing menu.

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal or credit card

Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean