Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH ユーザーズマニュアル
440
|
Chapter 17. Security
NETGEAR 8800 User Manual
configure ports <portlist> vlan <vlan_name> [limit-learning <number> {action
[blackhole | stop-learning]} | lock-learning | unlimited-learning |
unlock-learning]
When you remove the lockdown using the unlock-learning option, the learning-limit is reset to
unlimited, and all associated entries in the FDB are flushed.
unlimited, and all associated entries in the FDB are flushed.
To display the locked entries on the switch, use the following command:
show fdb
Locked MAC address entries have the “l” flag.
MAC Address Lockdown with Timeout
The MAC address lockdown with timeout feature provides a timer for aging out MAC
addresses on a per port basis and overrides the FDB aging time. That is, when this feature is
enabled on a port, MAC addresses learned on that port age out based on the MAC lockdown
timeout corresponding to the port, not based on the FDB aging time. By default, the MAC
address lockdown timer is disabled.
addresses on a per port basis and overrides the FDB aging time. That is, when this feature is
enabled on a port, MAC addresses learned on that port age out based on the MAC lockdown
timeout corresponding to the port, not based on the FDB aging time. By default, the MAC
address lockdown timer is disabled.
When this feature is enabled on a port, MAC addresses learned on that port remain locked
for the MAC lockdown timeout duration corresponding to the port, even when the port goes
down. As a result, when a device is directly connected to the switch and then disconnected,
the MAC address corresponding to the device will be locked up for the MAC lockdown
timeout duration corresponding to that port. If the same device reconnects to the port before
the MAC lockdown timer expires and sends traffic, the stored MAC address becomes active
and the MAC lockdown timer is restarted. If the device is not reconnected for the MAC
lockdown timeout duration, the MAC entry is removed.
for the MAC lockdown timeout duration corresponding to the port, even when the port goes
down. As a result, when a device is directly connected to the switch and then disconnected,
the MAC address corresponding to the device will be locked up for the MAC lockdown
timeout duration corresponding to that port. If the same device reconnects to the port before
the MAC lockdown timer expires and sends traffic, the stored MAC address becomes active
and the MAC lockdown timer is restarted. If the device is not reconnected for the MAC
lockdown timeout duration, the MAC entry is removed.
MAC lockdown timeout entries are dynamically learned by the switch, which means these
entries are not saved or restored during a switch reboot. If the switch reboots, the local MAC
entry table is empty, and the switch needs to relearn the MAC addresses.
entries are not saved or restored during a switch reboot. If the switch reboots, the local MAC
entry table is empty, and the switch needs to relearn the MAC addresses.
MAC address lockdown with timeout is configured by individual ports. The lockdown timer
and address learning limits are configured separately for a port.
and address learning limits are configured separately for a port.
Note:
You cannot enable the lockdown timeout feature on a port that
already has MAC address lockdown enabled. For more information
about MAC address lockdown, see
about MAC address lockdown, see
MAC address learning limits and the lockdown timer work together in the following ways:
•
When the learning limit has been reached on a port, a new device attempting to connect
to the port has its MAC address blackholed.
•
As long as the timer is still running for a MAC entry, a new device cannot connect in place
of the device that entry represents. That is, if a device has disconnected from a port, a