624 | Layer 2
www.dell.com | support.dell.com
MAC Address Learning Limit is a method of port security on Layer 2 port-channel and physical interfaces,
and VLANs. It enables you to set an upper limit on the number of MAC addresses that learned on an
interface/VLAN. After the limit is reached, the system drops all traffic from a device with an unlearned
MAC address.
To set a MAC learning limit on an interface:
Three options are available with the mac learning-limit command: dynamic, no-station-move, and
station-move.
mac learning-limit dynamic
The MAC address table is stored on the Layer 2 FIB region of the CAM (and the Layer 2 ACL region on
the E-Series). On the C-Series and S-Series the Layer 2 FIB region allocates space for static MAC address
entries and dynamic MAC address entries (all MAC address entries on the E-Series are dynamic). When
MAC Learning Limit is enabled, entries created on this port are static by default. When you configure the
dynamic option, learned MAC addresses are stored in the dynamic region and are subject to aging. Entries
created before this option is set are not affected.
FTOS Behavior: When configuring MAC Learning Limit on a port or VLAN the configuration is accepted (becomes
part of running-config and show mac learning-limit interface) before the system verifies that sufficient CAM space
exists. If the CAM check fails, a message is displayed:
%E90MH:5 %ACL_AGENT-2-ACL_AGENT_LIST_ERROR: Unable to apply access-list Mac-Limit on
GigabitEthernet 5/84
In this case, the configuration is still present in the running-config and show output. Remove the configuration before
re-applying a MAC learning limit with lower value. Also, ensure that Syslog messages can be viewed on your session.
Note: The CAM-check failure message beginning in FTOS version 8.3.1.0 is different from versions 8.2.1.1 and
earlier, which read:
% Error: ACL returned error
% Error: Remove existing limit configuration if it was configured before
Task Command Syntax Command Mode
Specify the number of MAC addresses that the system can
learn off a Layer 2 interface.
mac learning-limit address_limit INTERFACE
Note: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available
for MAC Learning Limit, including limit violations.
FTOS Behavior: If you do not configure the dynamic option, the C-Series and S-Series do not detect station
moves in which a MAC address learned off of a MAC-limited port is learned on another port on same line card.
Therefore, FTOS does not take any configured station-move violation action. When a MAC address is relearned on
any other linecard (any line card except the one to which the original MAC-limited port belongs), the station-move
is detected, and the system takes the configured the violation action.
To Next Page
Loading...
