19-9
Cisco ME 3800X and 3600X Switch Software Configuration Guide
OL-23400-01
Chapter 19 Configuring Traffic Control
Configuring EVC MAC Security
MAC Address Security Guidelines
•
MAC security is disabled by default on an EFP. When MAC security is disabled on an EFP, you can
configure MAC security functions, but they do not become operational until you enable MAC
security.
–
A secured EFP is one on which MAC security is enabled.
–
A secured MAC address is one that is configured or learned.
–
A secured bridge domain is one on which MAC security is enabled.
•
Secured EFP learned MAC addresses are kept in both the EVC MAC security table and the system
MAC address table. Secured addresses are aged out by the configured MAC security aging process.
•
When you enable MAC security on an EFP by entering the mac security service-instance
configuration command, the existing MAC addresses on the EFP that were dynamically learned are
removed, and configured MAC addresses and sticky MAC address entries are added to the EVC
MAC security table.
•
When you remove an EFP from a bridge domain or move an EFP to a new bridge domain, all MAC
addresses for the EFP are removed from the MAC address table.
•
A MAC locking condition occurs when a MAC move occurs and a MAC entry already exists for an
EFP in a given bridge domain. and the same MAC address is received on a different EFP in the
bridge domain. If the move takes place from one secured EFP to another secured EFP, the move is
not allowed and the configured violation action occurs. A move between a secured and non-secured
EFP is allowed because no violation occurs.
Enabling and Configuring EVC MAC Security
For detailed information about the commands, see the Cisco IOS Carrier Ethernet Command Reference
at:
http://www.cisco.com/en/US/docs/ios/cether/command/reference/ce_book.html
Beginning in privileged EXEC mode, follow these steps to configure MAC security on an EFP:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Specify the interface to be configured, and enter interface configuration
mode.
Step 3
switchport mode trunk
Configure the interface as a trunk port, required for EFP configuration.
Step 4
switchport trunk allowed vlan
none
Configure the interface to have no allowed VLANs.
Step 5
service instance number ethernet
[name]
Configure an EFP (service instance) and enter service instance configuration
mode.
•
The number is the EFP identifier, an integer from 1 to 4000.
•
(Optional) ethernet name is the name of a previously configured
Ethernet virtual connection (EVC). You do not need to use an EVC name
in a service instance.