The MAC address lockdown with timeout feature provides a timer for aging out MAC addresses on a per port basis and overrides the FDB aging time. That is, when this feature is enabled on a port and the port goes down/restarted, MAC addresses learned on that port age out based on the MAC lockdown timeout corresponding to the port, not based on the FDB aging time. By default, the MAC address lockdown timer is disabled.
NoteMAC address lockdown is not supported on NetLogin Dot1x non-policy mode.
When this feature is enabled on a port, MAC addresses learned on that port remain locked for the MAC lockdown timeout duration corresponding to the port, even when the port goes down. As a result, when a device is directly connected to the switch and then disconnected, the MAC address corresponding to the device will be locked up for the MAC lockdown timeout duration corresponding to that port. If the same device reconnects to the port before the MAC lockdown timer expires and sends traffic, the stored MAC address becomes active and the MAC lockdown timer is restarted. If the device is not reconnected for the MAC lockdown timeout duration, the MAC entry is removed.
MAC lockdown timeout entries are dynamically learned by the switch, which means these entries are not saved or restored during a switch reboot. If the switch reboots, the local MAC entry table is empty, and the switch needs to relearn the MAC addresses.
MAC address lockdown with timeout is configured by individual ports. The lockdown timer and address learning limits are configured separately for a port.
NoteYou cannot enable the lockdown timeout feature on a port that already has MAC address lockdown enabled. For more information about MAC address lockdown, see MAC Address Lockdown.
MAC address learning limits and the lockdown timer work together in the following ways: