Why secure MAC addresses are not aged when the aging time arrives

16

The secure MAC address aging time is related to the global aging time of dynamic MAC addresses, and depends on the MAC address traffic match flag bit that is updated after the dynamic MAC addresses are globally aged out. That is, after the secure MAC address aging time arrives, the system checks whether the MAC address flag bit is cleared. If it is not cleared, the secure MAC address is not aged out.

Other related questions:
How to check and configure the MAC address aging time on an S series switch
For S series switches (except the S1700), configure the MAC address aging time as follows:
[HUAWEI] mac-address aging-time 500 //Set the MAC address aging time to 500s.

Check the MAC address aging time as follows:
<HUAWEI> display mac-address aging-time
  Aging time:300 second(s)     //The current aging time is 300s.

Which MAC addresses do not age
Static media access control (MAC) addresses and blackhole MAC addresses.

What are the aging time and aging mechanism of ARP entries
The default aging time of ARP entries is 20 minutes. You can run the arp expire-time command to change the aging time. You can also change the number of ARP probes by running the arp detect-times command. The default number of ARP probes is 3. When the aging time of an ARP entry expires, the device sends a probe packet to the corresponding IP address every 5 seconds. If the device does not receive any response after the specified number of probes, it deletes the ARP entry. For example, the aging time of ARP entries is set to 60s and the number of ARP probes is set to 6. After 60s since an ARP entry is generated, the device sends an ARP probe every 5s. If the device does not receive any response after sending six probes, it deletes the ARP entry. Therefore, the actual aging time of the ARP entry is (60 + 6 x 5) = 90s. NOTE: For V100R002 version, the S2700/S3700/S5700/S6700 supports the 1/2 probe time and 3/4 probe time. The numbers of probes on the two time points are both 3 and cannot be changed. For example, if the aging time is 20 minutes (1200s) and the number of ARP probes is 6, the SS2700/S3700/S5700/S6700 sends three ARP probes at an interval of 5s after 10 minutes. After 15 minutes, the S2700/S3700/S5700/S6700 also sends three ARP probes at an interval of 5s. After 20 minutes, the S2700/S3700/S5700/S6700 sends six ARP probes at an interval of 5s. If the S2700/S3700/S5700/S6700 does not receive any response, it deletes the ARP entry.

Whether USG firewalls support the aging time configured for MAC address entries
The USG2000 and USG5000 support the aging time configured for MAC address entries.

Firewall session aging time
Generally, you can use the default aging time of the session table. To change the aging time of the session table for a specific protocol type, run the firewall session aging-time command. For the USG2000&5000 series, you can set the service aging time on the web UI. On the web UI, choose Firewall > Service > Service Aging Time. To view the aging time of the session entries of all traffic in the current system, you can run the display firewall session aging-time command.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top