MAC Address Limiting on Service Instances and Bridge Domains
Available Languages
Table Of Contents
Configuring MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels
Prerequisites for MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels
Restrictions for MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels
Information About MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels
Ethernet Virtual Circuits, Service Instances, and Bridge Domains
MAC Security and MAC Addressing
MAC Address Limiting and Learning
Static and Dynamic MAC Addresses
MAC Address Limiting on Service Instances
MAC Address Limiting for Bridge Domains
Relationship Between the MAC Address Limit on a Bridge Domain and on a Service Instance
Violation Response Configuration
MAC Address Aging Configuration
Sticky MAC Address Configurations
MAC Security Enabled on a Service Instance
MAC Security Disabled on a Service Instance
Service Instance Moved to a New Bridge Domain
Service Instance Removed from a Bridge Domain
Service Instance Shut Down Due to Violation
Interface/Service Instance Down/Linecard OIR Removed
Interface/Service Instance Re-activated/Linecard OIR Inserted
Sticky Addresses Added or Removed on a Service Instance
How to Configure MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels
Enabling MAC Security on a Service Instance
Enabling MAC Security on an EVC Port Channel
Configuring a MAC Address Permit List
Configuring a MAC Address Deny List
Configuring MAC Address Limiting on a Bridge Domain
Configuring MAC Address Limiting on a Service Instance
Configuring a MAC Address Violation
Configuring a Sticky MAC Address
Displaying the MAC Security Status of a Specific Service Instance
Displaying the Service Instances with MAC Security Enabled
Displaying the Service Instances with MAC Security Enabled on a Specific Bridge Domain
Showing the MAC Addresses of All Secured Service Instances
Showing the MAC Addresses of a Specific Service Instance
Showing the MAC Addresses of All Service Instances on a Specific Bridge Domain
Showing the MAC Security Statistics of a Specific Service Instance
Showing the MAC Security Statistics of All Service Instances on a Specific Bridge Domain
Showing the Last Violation Recorded on Each Service Instance on a Specific Bridge Domain
Clearing All Dynamically Learned MAC Addresses on a Service Instance
Clearing All Dynamically Learned MAC Addresses on a Bridge Domain
Bringing a Specific Service Instance Out of the Error-Disabled State
Bringing a Specific Service Instance Out of the Error-Disabled State
Example: Enabling MAC Security on a Service Instance
Example: Enabling MAC Security on an EVC Port Channel
Example: Configuring a MAC Address Permit List
Example: Configuring a MAC Address Deny List
Example: Configuring MAC Address Limiting on a Bridge Domain
Example: Configuring a MAC Address Limit on a Service Instance
Example: Configuring a MAC Address Violation Response
Example: Configuring MAC Address Aging
Example: Configuring a Sticky MAC Address
Example: Displaying the MAC Addresses on a Specific Secure Service Instance
Example: Displaying the Last Violation on a Specific Service Instance
Example: Displaying the MAC Security Status of a Specific Service Instance
Example: Displaying the MAC Addresses of All Secured Service Instances
Example: Displaying the MAC Security Statistics of All Service Instances
Example: Displaying the MAC Addresses on All Service Instances for a Bridge Domain
Example: Displaying the Secured Service Instances for a Specific Bridge Domain
Configuring MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels
First Published: October 24, 2008Last Updated: February 8, 2011The MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels feature addresses port security with service instances by providing the capability to control and filter MAC address learning behavior at the granularity of a per-service instance. When a violation requires a shutdown, only the customer who is assigned to a given service instance is affected and—not all customers who are using the port. The MAC Address Security on EVC Port Channel feature supports MultiPoint Bridging over Ethernet (MPBE). MAC address limiting is a type of MAC security and is also referred to as a MAC security component or element.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels
•
•
•
Prerequisites for MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels
•
•
•
Restrictions for MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels
MAC address limiting for service instances and bridge domains is configured under a service instance and is permitted only after the service instance is configured under a bridge domain. If a service instance is removed from a bridge domain, all the MAC address limiting commands under it are also removed. If a bridge domain is removed from a service instance, all the MAC address limiting commands are also removed.
Information About MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels
•
•
•
•
•
•
Ethernet Virtual Circuits, Service Instances, and Bridge Domains
An Ethernet virtual circuit (EVC) as defined by the Metro Ethernet Forum is a port-level point-to-point or multipoint-to-multipoint Layer 2 circuit. It is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. An EVC embodies the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a given port.
Support for Ethernet bridging is an important Layer 2 service that is offered on a router as part of an EVC. Ethernet bridging enables the association of a bridge domain with a service instance.
Service instances are configured under a port channel. The traffic carried by service instances is load-balanced across member links. Service instances under a port channel are grouped and each group is associated with one member link. Ingress traffic for a single service instance can arrive on any member of the bundle. All egress traffic for a service instance uses only one of the member links. Load-balancing is achieved by grouping service instances and assigning them to a member link.
For information about the Metro Ethernet Forum standards, see the "Standards" section.
EVCs on Port Channels
An EtherChannel bundles individual Ethernet links into a single logical link that provides the aggregate bandwidth of up to eight physical links. The Ethernet Virtual Connection Services (EVCS) EtherChannel feature provides support for EtherChannels on service instances.
Note
EVCS uses the concepts of EVCs and service instances.
Load balancing is done on an Ethernet flow point (EFP) basis where a number of EFPs exclusively pass traffic through member links.
MAC Security and MAC Addressing
MAC security is enabled on a service instance by configuring the mac security command. Various MAC security elements can be configured or removed regardless of whether the mac security command is presently configured, but these configurations become operational only when the mac security command is applied.
In this document, the term "secured service instance" is used to describe a service instance on which MAC security is configured. The MAC addresses on a service instance on which MAC security is configured are referred to as "secured MAC addresses." Secured MAC addresses can be either statically configured (as a permit list) or dynamically learned.
MAC Address Permit List
A permit list is a set of MAC addresses that are permitted on a service instance. Permitted addresses permanently configured into the MAC address table of the service instance.
On a service instance that is a member of a bridge domain, the operator is permitted to configure one or more permitted MAC addresses. For each permitted address, eligibility tests are performed and after the address passes these tests, it is either:
•
•
The eligibility tests performed when a user tries to add a MAC address to the permit list on a service instance are as follows:
1.
2.
3.
a.
b.
MAC Address Deny List
A deny list is a set of MAC addresses that are not permitted on a service instance. An attempt to learn a denied MAC address will fail. On a service instance that is a member of a bridge domain, the operator is permitted to configure one or more denied MAC addresses. The arrival of a frame with a source MAC address that is part of a deny list will trigger a violation response.
Before a denied address can be configured, the following test is performed:
1.
In all other cases, the configuration of the denied address is accepted. Typical cases include:
•
•
MAC Address Limiting and Learning
An upper limit for the number of secured MAC addresses allowed on a bridge domain service instance can be configured. This limit includes addresses added as part of a permit list and dynamically learned MAC addresses.
Before an unknown MAC address is learned, a series of checks are run against a set of configured and operational constraints. If any of these checks fails, the address is not learned, and a configured violation response is triggered.
Static and Dynamic MAC Addresses
A static MAC address is specified as permitted on a service instance, by a mac security permit command. A dynamic MAC address is a source MAC address encountered by the service instance that is not present in the MAC table but is allowed into and learned by the MAC address table.
Dynamic MAC Address Learning
Dynamic MAC address learning occurs play when the bridging data path encounters an ingress frame whose source address is not present in the MAC address table for the ingress secured service instance.
The MAC security component is responsible for permitting or denying the addition of the new source address into the MAC table. The following constraints apply:
1.
2.
3.
MAC Address Limiting on Service Instances
The user can configure the maximum number of MAC addresses that can exist in the MAC table that is associated with a service instance. This number includes statically configured and dynamically learned (including sticky) addresses.
On a service instance that has MAC security enabled and that does not have the maximum number of MAC addresses configured, the number of addresses allowed is one. This means that if the service instance has an associated permit list, that permit list can have only one address, and no addresses are learned dynamically. If the service instance does not have an associated permit list, one MAC address may be learned dynamically.
MAC Address Limiting for Bridge Domains
An upper limit for the number of MAC addresses that can reside in the MAC address table of a bridge domain can be set. This is set independently of the upper limit of secured MAC addresses on the service instance. An attempted violation of this bridge domain MAC address limit will cause the MAC address learn attempt to fail, and the frame to be dropped.
If the bridge domain MAC address limit is not configured, then by default, the maximum number of MAC addresses allowed on a bridge domain is the maximum number that can be supported by that platform.
Relationship Between the MAC Address Limit on a Bridge Domain and on a Service Instance
The MAC security commands permit the user to specify the maximum count of MAC table entries on a bridge domain and on a service instance simultaneously. However, there are no restrictions on the count that is configured on the service instance.
Table 1 shows an example of an initial configuration where three service instances are configured on a bridge domain:
If the user wishes to configure MAC security on service instance 1003, any value can be configured for the maximum count. For example:
service instance 1003 ethernetbridge-domain 1mac securitymac security maximum addresses 35A MAC address limit of 35 is permitted, even though the total MAC address limit for the three service instances (5 + 10 + 35) would exceed the count (20) configured on the bridge domain. Note that during actual operation, the bridge domain limit of 20 is in effect. The dynamic secure address count cannot exceed the lowest count applicable, so it is not possible for service instance 1003 to learn 35 addresses.
MAC Move and MAC Locking
If a MAC address is present in the MAC address table for a service instance (for example, service instance 1) on which MAC security is configured, the same MAC address cannot be learned on another service instance (for example, service instance 2) in the same bridge domain.
If service instance 2 attempts to learn the same MAC address, the violation response configured on service instance 2 is triggered. If MAC security is not configured on service instance 2 and a violation response is not configured, the "shutdown" response sequence is triggered on service instance 2.
If MAC security is not enabled on service instance 1, the violation is not triggered. service instance 2 learns the MAC address and moves it from service instance 1.
For some platforms such as Cisco 7600 series routers, MAC address moves are allowed but moves between secured service instances and nonsecured service instances cannot be detected.
For example, if you do not configure MAC security on service instance 2 because of a hardware limitation on the Cisco 7600 series router, a MAC move from secured service instance 1 to service instance 2 is accepted. Therefore, it is recommended that all service instances within the same bridge-domain are configured as secured service instances.
Violation Response Configuration
A violation response is a response to a MAC security violation or a failed attempt to dynamically learn a MAC address due to an address violation. MAC security violations are of two types:
Type 1 Violation—The address of the ingress frame cannot be dynamically learned due to a deny list, or because doing so would cause the maximum number of secure addresses to be exceeded (see the "MAC Address Limiting and Learning" section).
Type 2 Violation—The address of the ingress frame cannot be dynamically learned because it is already "present" on another secured service instance (see the "MAC Move and MAC Locking" section).
There are three possible sets of actions that can be taken in response to a violation:
1.
•
•
•
•
2.
•
•
•
3.
•
If a violation response is not configured, the default response mode is shutdown. The violation response can be configured to protect or restrict mode. A "no" form of a violation response, sets the violation response to the default mode of shutdown.
You are allowed to configure the desired response for a Type 1 and Type 2 violations on a service instance. For a Type 1 violation on a bridge domain (that is, if the learn attempt conforms to the policy configured on the service instance, but violates the policy configured on the bridge domain), the response is always "Protect." This is not configurable.
In shutdown mode, the service instance is put into the error disabled state immediate, an SNMP trap notification is transmitted, and a message is sent to the console and SYSLOG as shown below:
%ETHER_SERVICE-6-ERR_DISABLED:Mac security violation - shutdown service instance 100 on interface gig 0/0/0To bring a service instance out of the error-disabled state, use errdisable recovery cause mac-security command to set the auto recovery timer, or re-enable it using the EXEC command clear ethernet service instance id id interface type number errdisable.
In Restrict mode, the violation report is sent to SYSLOG at level LOG_WARNING.
Support for the different types of violation responses depends on the capabilities of the platform. The desired violation response can be configured on the service instance. The configured violation response does not take effect unless and until MAC security is enabled using the mac security command.
MAC Address Aging Configuration
A specific time scheduler can be set to age out secured MAC addresses that are dynamically learned or statically configured on both service instances and bridge domains, thus freeing up unused addresses from the MAC address table for other active subscribers.
The set of rules applied to age out secured MAC addresses is called secure aging. By default, the entries in the MAC address table of a secured service instance are never aged out. This includes permitted addresses and dynamically learned addresses.
The mac security aging time aging-time command sets the aging time of the addresses in the MAC address table to <n> minutes. By default, this affects only dynamically learned (not including sticky) addresses—permitted addresses and sticky addresses are not affected by the application of this command.
By default, the aging time <n> configured via the mac security aging time aging-time command is an absolute time. That is, the age of the MAC address is measured from the instant that it was first encountered on the service instance. This interpretation can be modified by using the mac security aging time aging-time inactivity command, which specifies that the age <n> be measured from the instant that the MAC address was last encountered on the service instance.
The mac security aging static and mac security aging sticky commands specify that the mac security aging time aging-time command must be applicable to permitted and sticky MAC addresses, respectively. In the case of permitted MAC addresses, the absolute aging time is measured from the time the address is entered into the MAC address table (for example, when it is configured or whenever the mac security command is entered—whichever is later).
If the mac security aging time command is not configured, the mac security aging static command has no effect.
Sticky MAC Address Configurations
The ability to make dynamically learned MAC addresses on secured service instances permanent even after interface transitions or device reloads can be set up and configured. A dynamically learned MAC address that is made permanent on a secured service instance is called a "sticky MAC address". The mac security sticky command is used to enable the sticky MAC addressing feature on a service instance.
With the "sticky" feature enabled on a secured service instance, MAC addresses learned dynamically on the service instance are kept persistent across service instance line transitions and device reloads.
The sticky feature has no effect on statically configured MAC addresses. The sticky addresses are saved in the running configuration. Before the device is reloaded, it is the responsibility of the user to save the running configuration to the startup configuration. Doing this will ensure that when the device comes on, all the MAC addresses learned dynamically previously are immediately populated into the MAC address table.
The mac security sticky address mac-address command can configure a specific MAC address as a sticky MAC address. The use of this command is not recommended for the user because configuring a MAC address as a static address does the same thing. When sticky MAC addressing is enabled by the mac security sticky command, the dynamically learned addresses are marked as sticky and a mac security sticky address mac-address command is automatically generated and saved in the running configuration for each learned MAC address on the service instances.
Aging for Sticky Addresses
MAC addresses learned on a service instance that has the sticky behavior enabled are subject to aging as configured by the mac security aging time and mac security aging sticky commands. In other words, for the purpose of aging functionality, sticky addresses are treated the same as dynamically learned addresses.
Transitions
This section contains a description of the expected behavior of the different MAC security elements when various triggers are applied; for example, configuration changes or link state transitions.
MAC Security Enabled on a Service Instance
When MAC security is enabled on a service instance, all existing MAC table entries for the service instance are purged. Then, permitted MAC address entries and sticky addresses are added to the MAC table, subject to the prevailing MAC address limiting constraints on the bridge domain.
If MAC address limits are exceeded, any MAC address that fails to get added is reported via an error message to the console, the attempt to enable MAC security on the service instance fails, and the already added permitted entries are backed out or removed.
The aging timer for all entries is updated according to the secure aging rules.
MAC Security Disabled on a Service Instance
The existing MAC address table entries for this service instance are purged.
Service Instance Moved to a New Bridge Domain
This transition sequence applies to all service instances, whether or not they have MAC security configured. All the MAC addresses on this service instance in the MAC address table of the old bridge domain are removed. The count of dynamically learned addresses in the old bridge domain is decremented. Then, all the MAC security commands are permanently erased from the service instance.
Service Instance Removed from a Bridge Domain
All the MAC addresses in the MAC address table that attributable to this service instance are removed, and the count of dynamically learned addresses in the bridge domain is decremented. Since MAC security is applicable only on service instances that are members of a bridge domain, removing a service instance from a bridge domain causes all the MAC security commands to be erased permanently.
Service Instance Shut Down Due to Violation
All dynamically learned MAC addresses in the MAC address table are removed, and all the other MAC security state values are left unchanged. The only change is that no traffic is forwarded, and therefore no learning can take place.
Interface/Service Instance Down/Linecard OIR Removed
The MAC tables of all the affected bridge domains are cleared of all the entries attributable to the service instances that are down.
Interface/Service Instance Re-activated/Linecard OIR Inserted
The static and sticky address entries in the MAC tables of the affected bridge domains are re-created to the service instances that are activated.
MAC Address Limit Decreased
When the value of the MAC address limit on the service instance is changed initially, a sanity check is performed to ensure that the new value of <n> is greater than or equal to the number of permitted entries. If not, the command is rejected. The MAC table is scanned for addresses that are attributable to this service instance, and dynamically learned MAC addresses are removed when the new MAC address limit is less than the old MAC address limit.
When the value of <n> on a bridge domain is changed initially, a sanity check is performed to ensure that the new value of <n> is greater than or equal to the sum of the number of permitted entries on all the secured service instances on the bridge domain. If this sanity test fails, the command is rejected. The bridge domain MAC address table (regardless of service instance) is scanned for dynamically learned (or sticky) addresses. All dynamically learned addresses are removed when the new MAC address limit is less than the old MAC address limit.
Sticky Addresses Added or Removed on a Service Instance
Existing dynamically learned MAC addresses remain unchanged. All new addresses learned become "sticky" addresses.
Disabling sticky addresses causes all sticky secure MAC addresses on the service instance to be removed from the MAC address table. All new addresses learned become dynamic addresses on the service instance and are subject to aging.
How to Configure MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Enabling MAC Security on a Service Instance
Perform this task to enable MAC address security on a service instance.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Enabling MAC Security on an EVC Port Channel
Perform this task to enable MAC Security on an EVC port channel.
RESTRICTIONS
•
•
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Configuring a MAC Address Permit List
Perform this task to configure permitted MAC addresses on a service instance that is a member of a bridge domain.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
DETAILED STEPS
Configuring a MAC Address Deny List
Perform this task to configure a list of MAC addresses that are not allowed on a service instance that is a member of a bridge domain.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
DETAILED STEPS
Configuring MAC Address Limiting on a Bridge Domain
Perform this task to configure an upper limit for the number of secured MAC addresses that reside in a bridge domain.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring MAC Address Limiting on a Service Instance
Perform this task to configure an upper limit for the number of secured MAC addresses allowed on a service instance. This number includes addresses added as part of a permit list as well as dynamically learned MAC addresses. If the upper limit is decreased, all learned MAC entries are removed.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Configuring a MAC Address Violation
Perform this task to specify the expected behavior of a device when an attempt to dynamically learn a MAC address fails because the configured MAC security policy on the service instance was violated.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Configuring MAC Address Aging
Perform this task to configure the aging of secured MAC addresses under MAC security. Secured MAC addresses are not subject to the normal aging of MAC table entries. If aging is not configured, secured MAC addresses are never aged out.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Configuring a Sticky MAC Address
If sticky MAC addressing is configured on a secured service instance, MAC addresses that are learned dynamically on the service instance are retained during a link-down condition. Perform this task to configure sticky MAC addresses on a service instance.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Displaying the MAC Security Status of a Specific Service Instance
Perform this task to display the MAC security status of a service instance.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Displaying the Service Instances with MAC Security Enabled
Perform this task to display all the service instances with MAC security enabled.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Displaying the Service Instances with MAC Security Enabled on a Specific Bridge Domain
Perform this task to display the service instances on a specific bridge domain that have MAC security enabled.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Showing the MAC Addresses of All Secured Service Instances
Perform this task to display all the MAC addresses on all the secured service instances.
Restrictions
For some platforms such as Cisco 7600 series routers, the MAC address remaining age time information is available only on the switch console. Use the remote command switch command and the show ethernet service instance mac security address command to display the MAC address remaining age time information.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Showing the MAC Addresses of a Specific Service Instance
Perform this task to display all the MAC addresses of a specific service instance.
Restrictions
For some platforms such as Cisco 7600 routers, the MAC address remaining age time information is available only on the switch console. Use the remote command switch command and the show ethernet service instance id id interface type number mac security address command to display the MAC address remaining age time information.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Showing the MAC Addresses of All Service Instances on a Specific Bridge Domain
Perform this task to display the MAC addresses of all service instances on a specific bridge domain.
Restrictions
For some platforms such as Cisco 7600 series routers, the MAC address remaining age time information is available only on the switch console. Use the remote command switch command and the show bridge-domain id mac security address command to display the MAC address remaining age time information.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Showing the MAC Security Statistics of a Specific Service Instance
This section describes how to display the MAC security statistics of a specific service instance.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Showing the MAC Security Statistics of All Service Instances on a Specific Bridge Domain
Perform this task to display the MAC security statistics of all the service instances on a specific bridge domain.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Showing the Last Violation Recorded on Each Service Instance on a Specific Bridge Domain
Perform this task to display the last violation recorded on each service instance on a specific bridge domain. Service instances on which there have been no violations are excluded from the output.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Clearing All Dynamically Learned MAC Addresses on a Service Instance
Perform this task to clear all dynamically learned MAC addresses on a service instance.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Clearing All Dynamically Learned MAC Addresses on a Bridge Domain
Perform this task to clear all dynamically learned MAC addresses on a bridge domain.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Bringing a Specific Service Instance Out of the Error-Disabled State
Perform this task to bring a specific service instance out of the error-disabled state.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Bringing a Specific Service Instance Out of the Error-Disabled State
Perform this task to bring a specific service instance out of the error-disabled state.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuration Examples for MAC Address Limiting on Service Instances, and Bridge Domains, and EVC Port Channels
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Example: Enabling MAC Security on a Service Instance
The following example shows how to enable MAC security on a service instance:
Router> enableRouter# configure terminalRouter(config)# interface gigabitethernet 3/0/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1Q 100Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac securityRouter(config-if-srv)# endExample: Enabling MAC Security on an EVC Port Channel
The following example shows how to enable MAC Security on an EVC port channel:
Router> enableRouter# configure terminalRouter(config)# interface port-channel 2Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1Q 100Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac securityRouter(config-if-srv)# endExample: Configuring a MAC Address Permit List
The following example shows how to configure a MAC address permit list:
Router> enableRouter# configure terminalRouter(config)# interface gigabitethernet 3/0/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1Q 100Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac security address permit a2aa.aaaa.aaaaRouter(config-if-srv)# mac security address permit a2aa.aaaa.aaabRouter(config-if-srv)# mac security address permit a2aa.aaaa.aaacRouter(config-if-srv)# mac security address permit a2aa.aaaa.aaadRouter(config-if-srv)# mac security address permit a2aa.aaaa.aaaeRouter(config-if-srv)# mac securityRouter(config-if-srv)# endExample: Configuring a MAC Address Deny List
The following example shows how to configure a MAC address deny list:
Router> enableRouter# configure terminalRouter(config)# interface gigabitethernet 3/0/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1Q 100Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac security address deny a2aa.aaaa.aaaaRouter(config-if-srv)# mac security address deny a2aa.aaaa.aaabRouter(config-if-srv)# mac security address deny a2aa.aaaa.aaacRouter(config-if-srv)# mac security address deny a2aa.aaaa.aaadRouter(config-if-srv)# mac security address deny a2aa.aaaa.aaaeRouter(config-if-srv)# mac securityRouter(config-if-srv)# endExample: Configuring MAC Address Limiting on a Bridge Domain
Router> enableRouter# configure terminalRouter(config)# bridge-domain 100Router(config-bdomain)# mac limit maximum addresses 1000Router(config-bdomain)# endExample: Configuring a MAC Address Limit on a Service Instance
Router> enableRouter# configure terminalRouter(config)# interface gigabitethernet 3/0/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1Q 100Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac security maximum addresses 10Router(config-if-srv)# mac securityRouter(config-if-srv)# endExample: Configuring a MAC Address Violation Response
Router> enableRouter# configure terminalRouter(config)# interface gigabitethernet 3/0/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1Q 100Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac security address permit a2aa.aaaa.aaaaRouter(config-if-srv)# mac security violation protectRouter(config-if-srv)# mac securityRouter(config-if-srv)# endExample: Configuring MAC Address Aging
Router> enableRouter# configure terminalRouter(config)# interface gigabitethernet 4/0/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1q 100Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac security aging time 10Router(config-if-srv)# mac securityRouter(config-if-srv)# endExample: Configuring a Sticky MAC Address
Router> enableRouter# configure terminalRouter(config)# interface gigabitethernet 3/0/1Router(config-if)# service instance 100 ethernetRouter(config-if-srv)# encapsulation dot1Q 100Router(config-if-srv)# bridge-domain 100Router(config-if-srv)# mac security stickyRouter(config-if-srv)# mac securityExample: Displaying the MAC Addresses on a Specific Secure Service Instance
Router# show ethernet service instance id 1879665131 interface gigabitethernet 0/2 mac security addressMAC Address Type Rem. Age(min)0001.0001.0001 static 1000001.0001.0002 static 1000001.0001.aaaa dynamic 1000001.0001.aaab dynamic 100Table 2 describes the significant fields in the output.
Note
Example: Displaying the Last Violation on a Specific Service Instance
Router# show ethernet service instance id 1879665131 interface gigabitethernet 0/2 mac security last violationAt: Apr 4 06:57:25.971Source address: ae4e.b7b5.79aeReason: Denied addressExample: Displaying the MAC Security Status of a Specific Service Instance
Router# show ethernet service instance id 1879665131 interface Ethernet0/2 mac securityMAC Security: enabledExample: Displaying the MAC Addresses of All Secured Service Instances
Router# show ethernet service instance mac security addressPort Bridge-domain MAC Address Type Rem. Age(min)Gi1/0/0 ServInst 1 10 0001.0001.0001 static 82Gi1/0/0 ServInst 1 10 0001.0001.0002 static 82Gi1/0/0 ServInst 1 10 0001.0001.aaaa dynamic 82Gi1/0/0 ServInst 1 10 0001.0001.aaab dynamic 82Gi1/0/0 ServInst 2 10 0002.0002.0002 static -Gi1/0/0 ServInst 2 10 0002.0002.0003 static -Gi1/0/0 ServInst 2 10 0002.0002.0004 static -Gi1/0/0 ServInst 2 10 0002.0002.aaaa dynamic -Gi1/0/0 ServInst 2 10 0002.0002.bbbb dynamic -Gi1/0/0 ServInst 2 10 0002.0002.cccc dynamic -Gi3/0/5 ServInst 10 30 0003.0003.0001 static 200Gi3/0/5 ServInst 10 30 0003.0003.0002 static 200Table 3 describes the significant fields in the output.
Note
Example: Displaying the MAC Security Statistics of All Service Instances
In the following example, the numbers of allowed and actual secured addresses recorded on the service instance are displayed.
Router# show ethernet service instance mac security statisticsEthernet0/0 service instance 890597333 (bridge-domain 730)Secure addresses: 3Address limit: 7Ethernet0/0 service instance 1559665780 (bridge-domain 1249)Secure addresses: 8Address limit: 8Ethernet0/0 service instance 1877043343 (bridge-domain 1155)Secure addresses: 0Address limit: 8Ethernet0/1 service instance 127771402 (bridge-domain 730)Secure addresses: 12Address limit: 12Ethernet0/1 service instance 183598286 (bridge-domain 730)Secure addresses: 1Address limit: 1Ethernet0/1 service instance 433365207 (bridge-domain 1249)Secure addresses: 0Address limit: 1Ethernet0/1 service instance 858688453 (bridge-domain 1328)Secure addresses: 0Address limit: 2Example: Displaying the MAC Addresses on All Service Instances for a Bridge Domain
Router# show bridge-domain 730 mac security addressPort MAC Address Type Rem. Age(min)Gi1/0/0 ServInst 1 0001.0001.0001 static 74Gi1/0/0 ServInst 1 0001.0001.0002 static 74Gi1/0/0 ServInst 1 0001.0001.aaaa dynamic 74Gi1/0/0 ServInst 1 0001.0001.aaab dynamic 74Gi1/0/0 ServInst 2 0002.0002.0002 static -Gi1/0/0 ServInst 2 0002.0002.0003 static -Gi1/0/0 ServInst 2 0002.0002.0004 static -Gi1/0/0 ServInst 2 0002.0002.aaaa dynamic -Gi1/0/0 ServInst 2 0002.0002.bbbb dynamic -Gi1/0/0 ServInst 2 0002.0002.cccc dynamic -
Note
Example: Displaying the Secured Service Instances for a Specific Bridge Domain
Router# show bridge-domain 730 mac securityGi1/0/0 ServInst 1MAC Security enabled: yesGi1/0/0 ServInst 2MAC Security enabled: yesAdditional References
Related Documents
Standards
MEF 6.1
Metro Ethernet Services Definitions Phase 2 (PDF 6/08)
MEF 10.1
Ethernet Services Attributes Phase 2 (PDF 10/06)
MIBs
RFCs
No new or modified RFCs are supported, and support for existing RFCs has not been modified.
—
Technical Assistance
Feature Information for MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels
Table 4 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 4 Feature Information for MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels
MAC Address Limiting on Service Instances and Bridge Domains
12.2(33)SRD
The MAC Address Limiting on Service Instances and Bridge Domains feature addresses port security with service instances by providing the capability to control and filter MAC address learning behavior at the granularity of a per-service instance. When a violation requires a shutdown, only the customer that is assigned to a given service instance is affected. MAC address limiting is a type of MAC security and is also referred to as a MAC security component or element.
The following sections provide information about this feature:
•
•
•
The following commands were introduced or modified: bridge-domain (config), bridge-domain (service instance), clear bridge-domain mac table, clear ethernet service instance, errdisable recovery cause mac-security, interface, mac limit maximum addresses, mac security, show bridge-domain, show ethernet service instance.
MAC Address Security on EVC Port Channel
12.2(33)SRE
The MAC Address Security on EVC Port Channel feature supports MPBE, local connect, and xconnect service types.
Load balancing is done on an EFP basis where a number of EFPs exclusively pass traffic through member links.
The following sections provide information about this feature:
•
The following command was introduced or modified: interface
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2008-2011 Cisco Systems, Inc. All rights reserved.
Feedback