MAC Security
The switch maintains a database of all media access control (MAC) addresses received on
all of its ports.
The switch uses the information in this database to decide whether a frame should be
forwarded or filtered. MAC security (formerly known as MAC address security) allows you
to control the way the FDB is learned and populated. For
more information, see FDB.
MAC security includes several types of control. You can:
- Limit the number of dynamically
learned MAC addresses allowed per virtual port. For more information, see Limiting Dynamic MAC Addresses.
- “Lock” the FDB entries for a virtual
port, so that the current entries will not change, and no additional addresses can
be learned on the port. For information, see MAC Address Lockdown.
Note
You can
either limit dynamic MAC FDB entries or lockdown the current MAC FDB entries,
but not both.
- Set a timer on the learned addresses
that limits the length of time the learned addresses will be maintained if the
devices are disconnected or become inactive. For more information, see MAC Address Lockdown with Timeout.
Note
When limit-learning is configured
in the port which is also associated with some other vlan where learning is
disabled, then few packets with new MAC address beyond learning limit will get
flooded. This flooding will take place for fraction of second until new
black-hole entry is created in hardware.
- Use ACLS to prioritize or stop packet
flows based on the source MAC address of the ingress virtual LAN (VLAN) or the destination MAC address of the egress VLAN. For more
information about ACL policies, see
Security.
- Enhance security, depending on your
network configuration, by disabling Layer 2 flooding. For more information about
enabling and disabling Layer 2 flooding, see Managing Egress Flooding.