Owner's Manual

ManualsBrandsNetgear ManualsHubsNetgear XCM8806

431

432

433

434

435

436

437

438

439

440

438 | Chapter 17. Security

NETGEAR 8800 User Manual

When the learned limit is reached, all new source MAC addresses are blackholed at the

ingress and egress points. This prevents these MAC addresses from learning and

responding to ICMP and ARP packets.

Dynamically learned entries still get aged and can be cleared. If entries are cleared or aged

out after the learning limit has been reached, new entries will then be able to be learned until

the limit is reached again.

Permanent static and permanent dynamic entries can still be added and deleted using the

create fdbentry and disable flooding ports commands. These override any dynamically

learned entries.

For ports that have a learning limit in place, the following traffic still flows to the port:

• Packets destined for permanent MAC addresses and other non-blackholed MAC

addresses

• Broadcast traffic

Traffic from the permanent MAC and any other non-blackholed MAC addresses still flows

from the virtual port.

To remove the learning limit, use the unlimited-learning option in the following command:

configure ports <portlist> vlan <vlan_name> [limit-learning <number> {action

[blackhole | stop-learning]} | lock-learning | unlimited-learning |

unlock-learning]

The MAC limit-learning feature includes a stop-learning argument that protects the switch

from exhausting FDB resources with blackhole entries. When

limit-learning is configured

with

stop-learning, the switch is protected from exhausting FDB resources by not creating

blackhole entries. Any additional learning and forwarding is prevented, but packet forwarding

is not impacted for existing FDB entries.

Displaying Limit Learning Information

To verify the configuration, use the following commands:

show vlan <vlan name> security

This command displays the MAC security information for the specified VLAN.

show ports {mgmt | <portlist>} info {detail}

This command displays detailed information, including MAC security information, for the

specified port.

Example of Limit Learning

In Figure 27, three devices are connected through a hub to a single port on the NETGEAR

device. If a learning limit of 3 is set for that port, and you connect a fourth device to the same

port, the switch does not learn the MAC address of the new device; rather, the switch

blackholes the address.