How to Reduce the Number of MAC Entries on the Firewall

1. Go to the Product Selection web page. Click Show More under your firewall platform name. Find the MAC table size per device.
2. For VM-Flex Firewall running a version lower than 10.2.x, refer to Maximum Limits Based on Memory. For versions 10.2.x and higher, refer to Maximum Limits Based on Tier and Memory. Note that the memory size (memory profile) determines the capacity of the firewall. Check the memory profile "vm-cap-tier:" in the output of the FW CLI command:
   

   > show system info

3. Alternatively, use one of the following CLI commands and read the numerical value in the line "maximum of entries supported":

   > show mac all | match max

1. If caused by many unique devices, optimize the network topology by reducing unnecessary Layer 2 segments or aggregating devices behind switches or routers.
2. If caused by an attack, implement mitigation measures on the upstream device (eg, switch), such as port security and VLAN segmentation. Consult with the upstream device vendor to learn more details on how to mitigate the MAC flood attack.

> clear mac <dot1q-vlan>

1. For a hardware firewall, consider upgrading your firewall to a higher-capacity platform.
2. For a VM-Flex FW if it's running a version lower than 10.2.0, consider upgrading to a version greater than 10.2.0 to take advantage of the increased configuration capacity offered by the Memory Scaling of the VM-Series Firewall Feature. Also, consider increasing the FW memory/RAM to increase the capacity of your VM-Flex FW.