Manualshelf

Owner's Manual

ManualsBrandsNetgear ManualsHubsNetgear XCM8806
431432433434435436437438439440
Chapter 17. Security | 439
NETGEAR 8800 User Manual
Figure 27. Switch Configured for Limit Learning
MAC Address Lockdown
In contrast to limiting learning on virtual ports, you can lockdown the existing dynamic FDB
entries and prevent any additional learning using the
lock-learning option from the following
command:
configure ports <portlist> vlan <vlan_name> [limit-learning <number> {action
[blackhole | stop-learning]} | lock-learning | unlimited-learning |
unlock-learning]
This command causes all dynamic FDB entries associated with the specified VLAN and ports
to be converted to locked static entries. It also sets the learning limit to 0, so that no new
entries can be learned. All new source MAC addresses are blackholed.
Note: Blackhole FDB entries added due to MAC security violations on
NETGEAR 8800 switches are removed after each FDB aging period
regardless of whether the MAC addresses in question are still
sending traffic. If the MAC addresses are still sending traffic, the
blackhole entries will be re-added after they have been deleted.
Locked entries do not get aged, but can be deleted like a regular permanent entry.
For ports that have lock-down in effect, the following traffic still flows to the port:
Packets destined for the permanent MAC and other non-blackholed MAC addresses
Broadcast traffic
Traffic from the permanent MAC still flows from the virtual port.
To remove MAC address lockdown, use the unlock-learning option from the following
command:
EX_175
Device A
Hub
Device B
Device C