Security
ExtremeWare XOS 11.3 Concepts Guide
316
NOTE
Blackhole FDB entries added due to MAC security violations on the BlackDiamond 8800 family of switches (formerly
known as Aspen) and the Summit X450 switch are removed after each FDB aging period regardless of whether the
MAC addresses in question are still sending traffic. If the MAC addresses are still sending traffic, the blackhole
entries will be re-added after they have been deleted.
Configuring Limit Learning
To limit the number of dynamic MAC addresses that can participate in the network, use the limit-
learning
option in following command:
configure ports <portlist> vlan <vlan name> [limit-learning <number> | lock-learning |
unlimited-learning | unlock-learning]
This command specifies the number of dynamically-learned MAC entries allowed for these ports in this
VLAN. The range is 0 to 500,000 addresses.
When the learned limit is reached, all new source MAC addresses are blackholed at the ingress and
egress points. This prevents these MAC addresses from learning and responding to ICMP and ARP
packets.
Dynamically learned entries still get aged and can be cleared. If entries are cleared or aged out after the
learning limit has been reached, new entries will then be able to be learned until the limit is reached
again.
Permanent static and permanent dynamic entries can still be added and deleted using the
create
fdbentry
and disable flooding port commands. These override any dynamically learned entries.
For ports that have a learning limit in place, the following traffic still flows to the port:
â—Ź Packets destined for permanent MAC addresses and other non-blackholed MAC addresses
â—Ź Broadcast traffic
â—Ź EDP traffic
Traffic from the permanent MAC and any other non-blackholed MAC addresses still flows from the
virtual port.
To remove the learning limit, use the
unlimited-learning option from the following command:
configure ports <portlist> vlan <vlan name> [limit-learning <number> | lock-learning |
unlimited-learning | unlock-learning]
Displaying Limit Learning Information
To verify the configuration, use the following commands:
show vlan <vlan name> security
This command displays the MAC security information for the specified VLAN.
show ports {mgmt | <portlist>} info {detail}
To Next Page
Loading...
Need help?
General
