Configures virtual ports for limited or locked MAC address learning.
port_list | Specifies one or more ports or slots and ports. |
tagged tag | Specifies the port-specific VLAN tag. When there are multiple ports specified in the port_list, the same tag is used for all of them. |
vlan_name | Specifies the name of the VLAN. |
vlan_list | Specifies a VLAN list of IDs. |
limit-learning number | Specifies a limit on the number of MAC addresses that can be dynamically learned on the specified ports. |
blackhole |
Specifies that blackhole entries are created for MAC addresses that exceed the limit-learning limit. This is the default setting. |
stop-learning | Specifies that the learning be halted to protect the switch from exhausting FDB resources by not creating blackhole entries. |
lock-learning | Specifies that the current FDB entries for the specified ports should be made permanent static, and no additional learning should be allowed. |
unlimited-learning | Specifies that there should not be a limit on MAC addresses that can be learned. |
unlock-learning | Specifies that the port should be unlocked (allow unlimited, dynamic learning). |
Unlimited, unlocked learning.
If you have enabled ESRP, see the appropriate volume of the Switch Engine v33.1.1 User Guide for information about using this feature with ESRP.
The limited learning feature allows you to limit the number of dynamically-learned MAC addresses per VLAN. When the learned limit is reached, all new source MAC addresses are blackholed at both the ingress and egress points. This prevent these MAC addresses from learning and responding to ICMP and address resolution protocol (ARP) packets.
If the limit you configure is greater than the current number of learned entries, all the current learned entries are purged.
Dynamically learned entries still get aged, and can be cleared. If entries are cleared or aged out after the learning limit has been reached, new entries will then be able to be learned until the limit is reached again.
Permanent static and permanent dynamic entries can still be added and deleted using the create fdb and delete fdb commands. These override any dynamically learned entries.
For ports that have a learning limit in place, the following traffic still flows to the port:
Traffic from the permanent MAC and any other non-blackholed MACs will still flow from the virtual port.
If you configure a MAC address limit on VLANS that participate in an Extreme Standby Router Protocol (ESRP) domain, you should add an additional back-to-back link (that has no MAC address limit on these ports) between the ESRP-enabled switches. Doing so prevents ESRP protocol data units (PDUs) from being dropped due to MAC address limit settings.
When stop-learning is enabled with learning-limit configured, the switch is protected from exhausting FDB resources by not creating blackhole entries. Any additional learning and forwarding is prevented, but packet forwarding from FDB entries is not impacted.
The port lockdown feature allows you to prevent any additional learning on the virtual port, keeping existing learned entries intact. This is equivalent to making the dynamically-learned entries permanent static, and setting the learning limit to zero. All new source MAC addresses are blackholed.
Locked entries do not get aged, but can be deleted like any other permanent FDB entries. The maximum number of permanent lockdown entries is 1024. Any FDB entries above will be flushed and blackholed during lockdown.
For ports that have lockdown in effect, the following traffic still flows to the port:
Traffic from the permanent MAC will still flow from the virtual port.
Once the port is locked down, all the entries become permanent and will be saved across reboot.
When you remove the lockdown using the unlock-learning option, the learning-limit is reset to unlimited, and all associated entries in the FDB are flushed.
To display the locked entries on the switch, use the following command:
show fdbLocked MAC address entries have the “l” flag.
To verify the MAC security configuration for the specified VLAN or ports, use the following commands:
show vlan vlan name security show ports port_list info detailThe following example limits the number of MAC addresses that can be learned on ports 1, 2, 3, and 6 in a VLAN named accounting, to 128 addresses:
configure ports 1, 2, 3, 6 vlan accounting learning-limit 128
The following example locks ports 4 and 5 of VLAN accounting, converting any FDB entries to static entries, and prevents any additional address learning on these ports:
configure ports 4,5 vlan accounting lock-learning
The following example removes the learning limit from the specified ports:
configure ports 1, 2, vlan accounting unlimited-learning
The following example unlocks the FDB entries for the specified ports:
configure ports 4,5 vlan accounting unlock-learning
The following example illustrates use of the tagged keyword:
configure ports 1 tag 10 vlan accounting learning-limit 128 configure ports 1 vlan accounting learning-limit 128 configure ports 4 tag 10 vlan accounting lock-learning configure ports 4 vlan accounting lock-learning
This command was first available in ExtremeXOS 11.1.
The vlan_list option was added in ExtremeXOS 16.1.
This command is available on all Universal switches supported in this document.