Mac Address Lock Down - Extreme Networks ExtremeWare XOS Guide Manual

This command displays detailed information, including MAC security information, for the specified
port.
Limiting MAC Addresses with ESRP Enabled
If you configure a MAC address limit on VLANS that participate in an Extreme Standby Router
Protocol (ESRP) domain, you should add an additional back-to-back link (that has no MAC address
limit on these ports) between the ESRP-enabled switches. Doing so prevents ESRP protocol data units
(PDUs) from being dropped due to MAC address limit settings.
Figure 16 is an example of configuring a MAC address limit on a VLAN participating in an ESRP
domain.
Figure 16: MAC address limits and VLANs participating in ESRP
ESRP
vlan
S1
10.1.2.100
In Figure 16, S2 and S3 are ESRP-enabled switches, while S1 is an ESRP-aware (regular Layer 2) switch.
Configuring a MAC address limit on all S1 ports might prevent ESRP communication between S2 and
S3. To resolve this, you should add a back-to-back link between S2 and S3. This link is not needed if
MAC address limiting is configured only on S2 and S3, but not on S1.

MAC Address Lock Down

In contrast to limiting learning on virtual ports, you can lock down the existing dynamic FDB entries
and prevent any additional learning using the
configure ports <portlist> vlan <vlan name> [limit-learning <number> | lock-learning |
unlimited-learning | unlock-learning]
This command causes all dynamic FDB entries associated with the specified VLAN and ports to be
converted to locked static entries. It also sets the learning limit to zero, so that no new entries can be
learned. All new source MAC addresses are blackholed.
ExtremeWare XOS 11.3 Concepts Guide
10.1.2.1
S2
10.1.2.2
S3
10.1.2.1
lock-learning
MAC Address Security
20.1.1.1
20.1.2.2
192.10.1.1
S4
192.10.1.100
30.1.1.2
30.1.1.1
option from the following command:
EX_036
317