MAC Address Lockdown
-
In contrast to limiting learning on virtual ports, you can
lockdown the existing dynamic FDB entries and prevent any
additional learning using the lock-learning
option from the following command:
configure ports port_list {tagged tag} vlan vlan_name | vlan_list [limit-learning number {action [blackhole | stop-learning]} | lock-learning | unlimited-learning | unlock-learning]
This command causes all dynamic FDB entries associated with the specified VLAN and ports to be converted to locked static entries. It also sets the learning limit to 0, so that no new entries can be learned. All new source MAC addresses are blackholed.
Note
Blackhole FDB entries added due to MAC security violations are removed after each FDB aging period regardless of whether the MAC addresses in question are still sending traffic. If the MAC addresses are still sending traffic, the blackhole entries will be re-added after they have been deleted.Locked entries do not get aged, but can be deleted like a regular permanent entry.
For ports that have lock-down in effect, the following traffic still flows to the port:- Packets destined for the permanent MAC and other non-blackholed MAC addresses
- Broadcast traffic
- EDP traffic
- Traffic from the permanent MAC still flows from the virtual port.
-
Remove MAC address lockdown, use the
unlock-learning option.
configure ports port_list {tagged tag} vlan vlan_name | vlan_list [limit-learning number {action [blackhole | stop-learning]} | lock-learning | unlimited-learning | unlock-learning]
When you remove the lockdown using the unlock-learning option, the learning-limit is reset to unlimited, and all associated entries in the FDB are flushed.
-
Display the locked entries on the switch.
show fdbLocked MAC address entries have the “l” flag.