For the sake of context, you may assume that the mention of any VLAN id in this discussion is maintained throughout the LAN in question. (We're not dealing with a "private VLAN" or a VLAN maintained only on a subset of switches on the LAN.)
We have a number of Catalyst 2900XL (EN) switches installed. One command we make regular use of is...
# mac-address-table secure H.H.H fa0/N vlan V
When we specify this on one switch, the MAC address is essentially blocked anywhere else on our LAN (for the given VLAN id). If this is set for a port that isn't actually connected to anything on a single switch, the MAC address is basically blocked everywhere on the LAN.
I just checked a Catalyst 3560G-48PS and a Catalyst 3750G-24TS. The command line completion mechanism on both switches seems to imply the "secure" form of the "mac-address-table" command is no longer available. (Both of these newer switches are running "IPBASE-M" variants of IOS.) I also checked the online command line reference for the newest version(s) of IOS for these switches. Finally, I checked the online "Command Lookup Tool for Cisco IOS", and it only says the "secure" form is available with Catalyst switches, but doesn't qualify what models. The closest variant is...
# mac-address-table static H.H.H vlan V drop
Does this provide the same functionality as the "secure" form, or would it need to be specified on each switch in the LAN to be effective when we want to drop packets for a particular MAC address everywhere on the LAN? If we were to set...
# mac-address-table static H.H.H vlan V interface INT
would this only allow the given MAC address on the port INT of the switch in question, and block its use everywhere else on the LAN, as the "secure" form did on the 2900XL series of switches?
Thanks, Mike
-- | Systems Specialist: CBE,MSE Michael T. Davis (Mike) | Departmental Networking/Computing