Foundry NetIron M2404C and M2404F Metro Access Switches Configuring VLANs (Rev.03)
Port Security
© 2008 Foundry Networks, Inc.
Page 39 of 73
learning limit on the specified port. The
no port limit all
command removes the port limit on a
port per all VLANs.
The MAC addresses that do not cross the limit on the port are learned as
dynamic
and the MAC
addresses that cross the limit on the port are learned as
filtered
. Once a
dynamic
MAC address is
deleted from the MAC address table (manually or after the aging time period), a new dynamic
entry is learned with a new MAC address or one of the previously learned filtered MAC addresses.
When
filter-learn-disable
option is specified, the violating MAC addresses will not be learned
(without this option, the violating MAC addresses will be learned as
filtered
).
The
vlan
option allows port limit to be configured per port and VLAN. When the MAC addresses
are limited per port and VLAN, only packets with MAC addresses specified as secure for this port
and VLAN are permitted to access the port.
By default, the Disable MAC filtered learning is enabled.
NOTE
Initial frame loss will occur if port MAC limiting or port MAC security are set on
a port. This is because once one of the above features is enabled the first packet(s),
received from any source will only be used for learning purposes until the
respective MAC address is learned on the specified port.
NOTE
When
learning new-address
is disabled per port or globally, the port limit feature
will not function correctly
device-name
(config-if UU/SS/PP)#port limit max-mac-count <1-2048>
Warning! Port limit may not work correctly since learning is disabled on the port.
Command Syntax
device-name
(config-if
UU/SS/PP
)#
port limit max-mac-count <max-count>
[
filter-learn-disable
] [
vlan <vlan-id>
]
device-name
(config-if
UU/SS/PP
)#
no port limit
[
max-mac-count filter-
learn-disable
] [
vlan <vlan-id>
]
device-name
(config-if
UU/SS/PP
)#
no port limit all
Argument Description
max-mac-count
<max-count>
The number of MAC addresses that are allowed to be learned on the
specified port. The range is <1-2048>.
filter-learn-
disable
(Optional). The violating MAC address will not be learned in the MAC
address table.
vlan <vlan-id>
(Optional). The VLAN identity number in the range <2-4093>. If no
VLAN ID is specified the counter will be incremented whenever a packet
arrives on any VLAN.
Example
The following example disables learning of the violating MAC address in the MAC address table.
Superfluous MAC addresses corresponding to VLAN 20 will not be learned on port 1/1/11.
device-name
(config)#
interface 1/1/11