Configuring MAC Locking

The following content describes the MAC locking commands:

Enabling and Disabling MAC Locking Globally

To enable or disable the MAC locking feature, use the following commands:

  • enable mac-locking
  • disable mac-locking

Enabling and Disabling MAC Locking on Ports

To enable MAC locking on specific ports, use the following command:
  • enable mac-locking ports [all| port_list]
To Disable MAC locking on specific ports, use the following command:
  • disable mac-locking ports [all| port_list]

Configuring First-arrival/Dynamic MAC Locking Limit

To configure first arrival MAC locking on a port, use the following command:

  • configure mac-locking ports port_list first-arrival limit-learning learn_limit

When the configured limit is reached, no further entries are learnt. However, if the learnt entries are aged out, new MAC addresses can be learned.

By default, Aging is disabled for first arrival MAC locking entries on a configured port. When the FDB (forwarding database) entries are aged out, they are removed from the FDB, but they are retained in the MAC locking table. So when the first arrival limit is reached, only those entries in the MAC locking table can be learned again if these devices start sending out traffic. Any new MAC addresses cannot be learned.

The maximum number of dynamic MAC addresses that can be locked on a port is 600.

Note

Note

There is no command to unconfigure first arrival or static MAC locking limit. The value can be reset giving the default learn limit specified in the help text. When First arrival MAC locking is configured to a value that is lower than the number of MACs that are locked, all the MAC locking bindings on the port are cleared.

Configuring Static MAC Locking Limit

To configure static MAC locking on a port, use the following command:
  • configure mac-locking ports port_list static limit-learning learn_limit
When the configured limit is reached, no further entries are learned (either black holed or not further learned depending on the configured action). However, if the learned entries are cleared or deleted, new MAC addresses can be created and learned. The maximum number of MAC addresses that will be locked on a port configured for static MAC locking is 64. Aging is not applicable for the static MAC locking entries.
Note

Note

There is no command to unconfigure first arrival or static MAC locking limit. The value can be reset giving the default learn limit specified in the help text. CLI doesn‘t allow changing the static MAC locking limit value to a value lower than the number of MACs locked in the MAC lock station table. Some or all of the created MAC locking stations should be removed to change the limit to a lower value.
Note

Note

Assume that port 2:22 is enabled for MAC Locking. The maximum static entry limit value is configured to 5 on port 2:22. If the user wants to configure the maximum static entry limit value to 3,
  1. The device will display an error, as maximum number of static stations already locked on the port and the value cannot be reduced.
  2. In the same example, the port 2:22 has only 1 static station locked. If the maximum static entry limit value is reduced to 3, the device will allow to reduce the value.
Scenario A:
* Slot-1 DUT1.94 # show mac-locking ports 2:22

MAC locking is globally enabled.
Port   MAC  Trap      Log       FA    Limit     Link    Max Max   Last Violating
       Lock Thr|Viol Thr|Viol Aging   Action    Down    Stc FA    MAC Address
       Stat                          Cfg|Stat   Action
-----  ---- -------- -------- ----- --------    ------ --- ---   -----------------
2:22   ena  off|on    off|on   dis   ena|ena   clear    5   45   00:11:11:11:11:04

Legend:

Stat              - Status                    Thr|Viol - Threshold | Violation

Max Stc           - Max Static Count          Max FA   - Max First-Arrival Count

dis               - Disabled                  ena       - Enabled

retain            - Retain MACs               clear     - Clear MACs

Limit Action Cfg  - If port should be disabled when learnt limit is exceeded

             dis   - Port to be disabled when learn limit is exceeded

             ena   - Port to remain enabled when learn limit is exceeded

Limit Action Stat - Port status on exceeding learn limit

*  Slot-1 DUT1.95 #

*  Slot-1 DUT1.95 # show mac-locking stations ports 2:22

Port   MAC Address         Status     State           Aging

-----  -----------------   --------   -------------   -----

2:22   00:11:11:11:11:00   active     static          false

2:22   00:11:11:11:11:01   active     static          false

2:22   00:11:11:11:11:02   active     static          false

2:22   00:11:11:11:11:03   active     static          false

2:22   00:11:11:11:11:04   active     static          false

*  Slot-1 DUT1.96 # configure mac-locking ports 2:22 static limit-learning 3

Error: Static limit-learning value cannot be reduced to 3 for port 2:22 as 5 static stations are already created.


Configuration failed on backup Node, command execution aborted!

* Slot-1 DUT1.97 #

Scenario B:

* Slot-1 DUT1.109 # show mac-locking stations ports 2:22

Port   MAC Address         Status     State           Aging

-----  -----------------   --------   -------------   -----

2:22   00:11:11:11:11:00   active     static          false

2:22   00:11:11:11:11:01   active     first-arrival   false

2:22   00:11:11:11:11:02   active     first-arrival   false

2:22   00:11:11:11:11:03   active     first-arrival   false

2:22   00:11:11:11:11:04   active     first-arrival   false

* Slot-1 DUT1.109 # show mac-locking ports 2:22


MAC locking is globally enabled.

Port   MAC  Trap      Log       FA    Limit     Link    Max Max   Last Violating
       
       Lock Thr|Viol Thr|Viol Aging   Action    Down    Stc FA    MAC Address

       Stat                          Cfg|Stat   Action

-----  ---- --------  --------  ----- --------  ------  --- ---   -----------------

2:22   ena  off|on    off|on    dis   ena|ena   clear     5   45   00:11:11:11:11:04

Legend:

Stat              - Status                    Thr|Viol - Threshold | Violation

Max Stc           - Max Static Count          Max FA   - Max First-Arrival Count

dis               - Disabled                  ena       - Enabled

retain            - Retain MACs               clear     - Clear MACs

Limit Action Cfg  - If port should be disabled when learnt limit is exceeded

             dis   - Port to be disabled when learn limit is exceeded
             ena   - Port to remain enabled when learn limit is exceeded

Limit Action Stat - Port status on exceeding learn limit

* Slot-1 DUT1.110 # configure mac-locking ports 2:22 static limit-learning 3

* Slot-1 DUT1.111 # show mac-locking ports 2:22

MAC locking is globally enabled.

Port   MAC  Trap      Log       FA    Limit     Link    Max Max   Last Violating

       Lock Thr|Viol Thr|Viol Aging   Action    Down    Stc FA    MAC Address

       Stat                          Cfg|Stat Action

-----  ---- --------  --------  ----- --------  ------  --- ---   -----------------

2:22   ena  off|on    off|on    dis   ena|ena   clear     3   45   00:11:11:11:11:04

Legend:

Stat              - Status                    Thr|Viol - Threshold | Violation

Max Stc           - Max Static Count          Max FA   - Max First-Arrival Count

dis               - Disabled                  ena       - Enabled

retain            - Retain MACs               clear     - Clear MACs

Limit Action Cfg  - If port should be disabled when learned limit is exceeded

             dis   - Port to be disabled when learn limit is exceeded
             ena   - Port to remain enabled when learn limit is exceeded

Limit Action Stat - Port status on exceeding learn limit

Create/Enable/Disable static MAC Locking Entries

To create a static MAC locking entry (also known as MAC locking station) and enable or disable MAC locking for the specific MAC address and port, use the following command:

configure mac-locking ports port_list static [add | enable | disable] station station_mac_address

Note

Note

A static MAC locking station is enabled by default.

To disable the static MAC locking station, use the following command.

configure mac-locking ports port_list static disable station station_mac_address

When created and enabled, a static MAC lock configuration allows only the end station designated by the MAC address to participate in forwarding of traffic.

The disabled entries are also counted when calculating the total number of locked stations. Static MAC locking stations that are disabled are only shown in “show mac-locking stations static” command. When “static” keyword is not given in “show mac-locking stations”, the disabled entries are not shown.

Enable/Disable Aging of First-arrival MAC Addresses

To enable or disable first arrival MAC address aging, use the following command.

configure mac-locking ports port_list first-arrival aging [enable | disable]

Dynamic MAC locking mode MAC address aging is disabled by default.

This is applicable only to MAC addresses locked by first-arrival locking and not to MAC addresses locked by static locking.

When First arrival aging is disabled, MAC locking stations are retained even when the corresponding FDB entry ages out.

When First arrival aging is enabled, MAC locking station starts aging when all the FDB entries corresponding to the station MAC are removed. MAC lock stations do not start aging when FDB entries are present.

When “first arrival aging” is configured to be enabled in first-arrival locking, when an FDB entry ages out, the entry is no more locked and so new MAC addresses can be learned till the configured first-arrival limit is reached.
Note

Note

First arrival Aging – Age out time for First Arrival MAC locking station is same as FDB aging time that is configured using configure fdb agingtime.

Move First-arrival MACs to Static Entries

To move all current first-arrival MACs to static entries on a port, use the following command:

configure mac-locking ports port_list first-arrival move-to-static

This command converts dynamic MAC locked stations to static MAC locked stations. There is no change to FDB entries.

The static MAC locked station entries are saved in configuration and so are preserved across reboots.
Note

Note

Ensure the static limit can accommodate the entries before moving them from to static. Otherwise, the device may throw the following error: Error: Some dynamic stations could not be converted to static stations for port <port_list>.
Note

Note

An FDB entry created from the CLI will not be removed when a static MAC lock station is created and disabled for the corresponding MAC address. It is necessary to delete the FDB entry from the CLI. MAC-Locking does not remove user created FDB entries.