How to disable MAC learning in a Linux bridge

Question: I am troubleshooting Ethernet bridging which I set up with a Linux bridge, and I would like to disable MAC learning on the Linux bridge. How can I do that?

An Ethernet bridge is a network component which interconnects multiple Ethernet networks by forwarding packets from one network to another. Linux has a software implementation of the Ethernet bridge (called "Linux bridge") incorporated into the kernel since 2.6. A Linux bridge is often used to set up a transparent proxy/firewall, or to work as a virtual switch which interconnects multiple virtual machines and containers created on a host.

Like a hardware Ethernet bridge, a Linux bridge comes with MAC address learning capability built-in. so that it knows how (i.e., to which port) to forward a network packet.

Suppose you would like to disable MAC address learning in a Linux bridge for whatever reason. For example, you want to "inject" artificial traffic into the bridge for experimental purposes. Or your network is under attack; a large amount of packets with different source MAC addresses are filling up the MAC learning table. Or you want to manage MAC forwarding table on your own, without relying on the default learning table.

This post describes who to disable MAC address learning in a Linux bridge.

Note: Once MAC learning is turned off, a Linux bridge will flood every incoming packet to the rest of the ports. Understand this implication before proceeding.

MAC Address Learning vs. Ageing Time

When a Linux bridge receives a packet with a new source MAC address from a particular bridge port, it stores the MAC address along with the port number in its MAC learning table. A timer is associated with each entry in the table, so that the entry expires after a certain period (so-called "ageing time"), unless it is refreshed before then. By default the ageing time in a Linux bridge is set to 300 seconds.

If you want to disable MAC address learning in a Linux bridge, you need to set the "ageing time" to 0. Let's find out how you can actually do it.

Disable MAC Address Learning in a Linux Bridge from the Command Line

Without disabling MAC learning, a Linux bridge will learn and store one or more "non-local" MAC addresses in the MAC learning table. To check the current MAC learning table:

$ sudo brctl showmacs <bridge-interface>

To view the current ageing time of a bridge, run:

$ brctl showstp <bridge-interface>

To turn off the bridge's MAC address learning, set its ageing time to 0 as follows.

$ sudo brctl setageing <bridge-interface> 0

Once MAC learning is deactivated, the bridge's MAC learning table will no longer contain any non-local MAC address.

Note that any change made with the brctl command (including MAC learning deactivation) does not survive reboots. If you want to turn off MAC learning permanently, read on.

Disable MAC Address Learning in a Linux Bridge Permanently

If you define a Linux bridge in /etc/network/interfaces (e.g., on Debian-based system), add "bridge_ageing 0" under the bridge configuration. For example:

auto br0
iface br0 inet static
    bridge_ports eth0 eth1
    bridge_ageing 0
    address 192.168.1.100
    netmask 255.255.255.0
    gateway 192.168.1.1

If you configure a Linux bridge with Network Manager, set "Aging time" to 0 in the bridge editing menu.

Download this article as ad-free PDF (made possible by your kind donation): 
Download PDF

Subscribe to Ask Xmodulo

Do you want to receive Linux related questions & answers published at Ask Xmodulo? Enter your email address below, and we will deliver our Linux Q&A straight to your email box, for free. Delivery powered by Google Feedburner.


Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

3 thoughts on “How to disable MAC learning in a Linux bridge

    • There are cases where you want to disable MAC learning:
      - you want to "inject" artificial traffic into the bridge for experimental purposes.
      - your network is under attack; a large amount of packets with different source MAC addresses are filling up the MAC learning table.
      - you want to manage MAC forwarding table on your own, without relying on the default learning.

  1. Just slightly OT, but still relevant: configuring bridge parameters, configuring STP alone = brctl is all that's needed. Requirement for RSTP, MSTP etc. = you'll need mstpd + mstpctl. For examples see below (and Kudos to the Cumulusnetworks vendor for great docs and not hiding real commands syntax behind unifying high-level, but proprietary language):
    https://docs.cumulusnetworks.com/display/CL22/Spanning+Tree+and+Rapid+Spanning+Tree
    https://docs.cumulusnetworks.com/display/DOCS/Spanning+Tree+and+Rapid+Spanning+Tree

Leave a comment

Your email address will not be published. Required fields are marked *