Limit MAC Address Learning

Configure the MAC security feature to control traffic from specific number of MAC addresses. The total number of MAC addresses that you can configure are fixed. The switch help text shows the maximum MAC addresses a port can learn in non-SPBM configurations. In an SPBM configuration, the maximum value is reduced by half.

About this task

This feature limits the number of forwarding database (FDB) entries learned on a particular port to a user-specified value. After the number of learned forwarding database entries reaches the maximum limit, MAC learning stops on that port.

Procedure

  1. Enter Interface Configuration mode:

    enable

    configure terminal

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]} or interface mlt <1-512>

    Note

    Note

    If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

  2. Protect the FDB from hits by too many MAC addresses:

    mac-security [port {slot/port[/sub-port][-slot/port[/sub-port]][,...]}] limit-learning enable [max-addrs <max-addrs>]

Example

Protect the FDB from hits by too many MAC addresses:

Switch:1(config)#interface gigabitethernet 1/1
Switch:1(config-if)#mac-security limit-learning enable
Switch:1(config-if)#mac-security limit-learning max-addrs 5000

Variable Definitions

Use the data in the following table to use the mac-security limit-learning command.

Variable

Value

enable

Limits the MAC learning for the port. After the number of addresses reaches the maximum, the port disables packet forwarding and drops packets.

If you enable limit-learning, the FDB entry for each port is limited to the number you specify in max-addrs.

max-addrs <max-addrs>

Specifies the maximum number of MAC addresses to learn. After the number of addresses reaches the maximum, the port disables packet forwarding and drops packets. The default is 1024. Depending on the hardware platform, the parameter range can vary. Use the CLI Help to see the available range for the switch.

port {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

Use this parameter to apply the change to multiple ports without changing CLI modes.
9037147-00 Rev AB