Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH ユーザーズマニュアル
Chapter 17. Security
|
437
NETGEAR 8800 User Manual
•
Limit the number of dynamically-learned MAC addresses allowed per virtual port. For
more information, see
•
“Lock” the FDB entries for a virtual port, so that the current entries will not change, and no
additional addresses can be learned on the port. For information, see
Note:
You can either limit dynamic MAC FDB entries or lockdown the current
MAC FDB entries, but not both.
•
Set a timer on the learned addresses that limits the length of time the learned addresses
will be maintained if the devices are disconnected or become inactive. For more
information, see
information, see
•
Use ACLS to prioritize or stop packet flows based on the source MAC address of the
ingress virtual LAN (VLAN) or the destination MAC address of the egress VLAN. For
more information about ACL policies, see
more information about ACL policies, see
•
Enhance security, depending on your network configuration, by disabling Layer 2
flooding. For more information about enabling and disabling Layer 2 flooding, see the
section
section
Limiting Dynamic MAC Addresses
You can set a predefined limit on the number of dynamic MAC addresses that can participate
in the network. After the FDB reaches the MAC limit, all new source MAC addresses are
blackholed at both the ingress and egress points. These dynamic blackhole entries prevent
the MAC addresses from learning and responding to Internet Control Message Protocol
(ICMP) and address resolution protocol (ARP) packets.
in the network. After the FDB reaches the MAC limit, all new source MAC addresses are
blackholed at both the ingress and egress points. These dynamic blackhole entries prevent
the MAC addresses from learning and responding to Internet Control Message Protocol
(ICMP) and address resolution protocol (ARP) packets.
Note:
Blackhole FDB entries added due to MAC security violations on
NETGEAR 8800 switches are removed after each FDB aging period
regardless of whether the MAC addresses in question are still
sending traffic. If the MAC addresses are still sending traffic, the
blackhole entries will be re-added after they have been deleted.
regardless of whether the MAC addresses in question are still
sending traffic. If the MAC addresses are still sending traffic, the
blackhole entries will be re-added after they have been deleted.
Configuring Limit Learning
To limit the number of dynamic MAC addresses that can participate in the network, use the
limit-learning
option in following command:
configure ports <portlist> vlan <vlan_name> [limit-learning <number> {action
[blackhole | stop-learning]} | lock-learning | unlimited-learning |
unlock-learning]
This command specifies the number of dynamically-learned MAC entries allowed for these
ports in this VLAN. The range is 0 to 500,000 addresses.
ports in this VLAN. The range is 0 to 500,000 addresses.