configure ports vlan

configure ports port_list [ {tagged tag} vlan vlan_name | {tagged} vlan vlan_list ] [limit-learning number {action [blackhole | stop-learning]} | lock-learning | unlimited-learning | unlock-learning]

Description

Configures virtual ports for limited or locked MAC address learning.

Syntax Description

port_list Specifies one or more ports or slots and ports.
tagged tag Specifies the port-specific VLAN tag. When there are multiple ports specified in the port_list, the same tag is used for all of them.
vlan_name Specifies the name of the VLAN.
vlan_list Specifies a VLAN list of IDs.
limit-learning number Specifies a limit on the number of MAC addresses that can be dynamically learned on the specified ports.
blackhole

Specifies that blackhole entries are created for MAC addresses that exceed the limit-learning limit. This is the default setting.

stop-learning Specifies that the learning be halted to protect the switch from exhausting FDB resources by not creating blackhole entries.
lock-learning Specifies that the current FDB entries for the specified ports should be made permanent static, and no additional learning should be allowed.
unlimited-learning Specifies that there should not be a limit on MAC addresses that can be learned.
unlock-learning Specifies that the port should be unlocked (allow unlimited, dynamic learning).

Default

Unlimited, unlocked learning.

Usage Guidelines

If you have enabled ESRP, see the appropriate volume of the Switch Engine 32.6.3 User Guide for information about using this feature with ESRP.

Limited learning

The limited learning feature allows you to limit the number of dynamically-learned MAC addresses per VLAN. When the learned limit is reached, all new source MAC addresses are blackholed at both the ingress and egress points. This prevent these MAC addresses from learning and responding to ICMP and address resolution protocol (ARP) packets.

If the limit you configure is greater than the current number of learned entries, all the current learned entries are purged.

Dynamically learned entries still get aged, and can be cleared. If entries are cleared or aged out after the learning limit has been reached, new entries will then be able to be learned until the limit is reached again.

Permanent static and permanent dynamic entries can still be added and deleted using the create fdb and delete fdb commands. These override any dynamically learned entries.

For ports that have a learning limit in place, the following traffic still flows to the port:

Traffic from the permanent MAC and any other non-blackholed MACs will still flow from the virtual port.

If you configure a MAC address limit on VLANS that participate in an Extreme Standby Router Protocol (ESRP) domain, you should add an additional back-to-back link (that has no MAC address limit on these ports) between the ESRP-enabled switches. Doing so prevents ESRP protocol data units (PDUs) from being dropped due to MAC address limit settings.

Stop learning

When stop-learning is enabled with learning-limit configured, the switch is protected from exhausting FDB resources by not creating blackhole entries. Any additional learning and forwarding is prevented, but packet forwarding from FDB entries is not impacted.

Port lockdown

The port lockdown feature allows you to prevent any additional learning on the virtual port, keeping existing learned entries intact. This is equivalent to making the dynamically-learned entries permanent static, and setting the learning limit to zero. All new source MAC addresses are blackholed.

Locked entries do not get aged, but can be deleted like any other permanent FDB entries. The maximum number of permanent lockdown entries is 1024. Any FDB entries above will be flushed and blackholed during lockdown.

For ports that have lockdown in effect, the following traffic still flows to the port:

Traffic from the permanent MAC will still flow from the virtual port.

Once the port is locked down, all the entries become permanent and will be saved across reboot.

When you remove the lockdown using the unlock-learning option, the learning-limit is reset to unlimited, and all associated entries in the FDB are flushed.

To display the locked entries on the switch, use the following command:

show fdb

Locked MAC address entries have the “l” flag.

To verify the MAC security configuration for the specified VLAN or ports, use the following commands:

show vlan vlan name security show ports port_list info detail

Example

The following example limits the number of MAC addresses that can be learned on ports 1, 2, 3, and 6 in a VLAN named accounting, to 128 addresses:

configure ports 1, 2, 3, 6 vlan accounting learning-limit 128

The following example locks ports 4 and 5 of VLAN accounting, converting any FDB entries to static entries, and prevents any additional address learning on these ports:

configure ports 4,5 vlan accounting lock-learning

The following example removes the learning limit from the specified ports:

configure ports 1, 2, vlan accounting unlimited-learning

The following example unlocks the FDB entries for the specified ports:

configure ports 4,5 vlan accounting unlock-learning

The following example illustrates use of the tagged keyword:

configure ports 1 tag 10 vlan accounting learning-limit 128
configure ports 1 vlan accounting learning-limit 128
configure ports 4 tag 10 vlan accounting lock-learning
configure ports 4 vlan accounting lock-learning

History

This command was first available in ExtremeXOS 11.1.

The vlan_list option was added in ExtremeXOS 16.1.

Platform Availability

This command is available on all ExtremeSwitching Universal switches.