manualshive.com logo in svg

Cisco NCS 4200 Series, Configuration Manual

The Cisco NCS 4200 Series Configuration Manual is a comprehensive guide to effortlessly set up and optimize your Cisco NCS 4200 network devices. With user-friendly instructions and useful insights, this manual is available for free download on manualshive.com, ensuring hassle-free access to the essential knowledge you need.

Share
Download
background image

On a service instance that is a member of a bridge domain, the operator is permitted to configure one or more
permitted MAC addresses.

For each permitted address, eligibility tests are performed and after the address passes these tests, it is either:

Programmed into the MAC address table of the bridge domain, if MAC security is enabled on the service
instance or,

Stored in an area of memory referred to as

MAC table cache

if MAC security is not enabled on the

service instance. When MAC security is enabled, the addresses from the MAC table cache are added to
the MAC address table as secure addresses.

The eligibility tests performed when a user tries to add a MAC address to the permit list on a service instance
are as follows:

If the address is already a denied address on the service instance, the configuration is rejected with an
appropriate error message.

If the acceptance of this address would increase the secure address count on the service instance beyond
the maximum number allowed, an attempt is made to make room by removing an existing address from
the MAC address table. The only candidate for removal is a dynamically learned address on the service
instance. If sufficient room cannot be made, the configuration is rejected. If the acceptance of this address
would increase the secure address count on the bridge domain beyond the maximum number allowed,
an attempt is made to make room by removing an existing address from the MAC address table. The
only candidate for removal is a dynamically learned address on the service instance. If room cannot be
made, the configuration is rejected.

Default maximum address is '1' for a service instance.

Note

If the address is already permitted on another service instance in the same bridge domain, one of the
following actions occur:

If the conflicting service instance has MAC security configured, the configuration is rejected with
an appropriate error message.

If the conflicting service instance does not have MAC security configured, the configuration is
accepted silently. (If the operator attempts to enable MAC security on the conflicting service
instance, that attempt fails.)

MAC Address Deny List

A deny list is a set of MAC addresses that are not permitted on a service instance. An attempt to learn a denied
MAC address will fail. On a service instance that is a member of a bridge domain, the operator is permitted
to configure one or more denied MAC addresses. The arrival of a frame with a source MAC address that is
part of a deny list will trigger a violation response.

Before a denied address can be configured, the following test is performed:

If the address is already configured as a permitted address on the specific service instance or if the
address has been learned and saved as a sticky address on the service instance, the configuration is
rejected with an appropriate error message.

Layer 2 Configuration Guide for Cisco NCS 4200 Series    

39

Configuring MAC Address Security on Service Instances and EVC Port Channels

MAC Address Deny List

Summary of Contents for NCS 4200 Series

Page 1: ...on Guide for Cisco NCS 4200 Series First Published 2016 07 29 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Page 2: ... Cisco Systems Inc All rights reserved ...

Page 3: ...ration Examples 4 Example Configuring External Loopback 4 Example Configuring Terminal Loopback 4 Verifying Ethernet Data Plane Loopback 5 Example Verifying Ethernet Dataplane Loopback 5 Use Cases or Deployment Scenarios 6 C H A P T E R 2 Configuring Switched Port Analyzer 7 Prerequisites for Configuring Local Span and RSPAN 7 Restrictions for Local Span and RSPAN 8 Understanding Local SPAN and RS...

Page 4: ...ts on EVCs 25 EVCs 26 Relationship Between ACLs and Ethernet Infrastructure 26 Information About Layer 2 Access Control Lists on EVCs 27 Creating a Layer 2 ACL 27 Applying a Layer 2 ACL to a Service Instance 28 Configuring a Layer 2 ACL with ACEs on a Service Instance 29 Verifying the Presence of a Layer 2 ACL on a Service Instance 31 Configuration Examples for Layer 2 Access Control Lists on EVCs...

Page 5: ...ard OIR Inserted 43 MAC Address Limit Decreased 43 Sticky Addresses Added or Removed on a Service Instance 43 How to Configure MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels 43 Enabling MAC Security on a Service Instance 43 Enabling MAC Security on an EVC Port Channel 45 Configuring a MAC Address Permit List 47 Configuring a MAC Address Deny List 49 Configuring MAC ...

Page 6: ...le Configuring a Sticky MAC Address 69 Example Displaying the MAC Addresses on a Specific Secure Service Instance 69 Example Displaying the Last Violation on a Specific Service Instance 69 Example Displaying the MAC Security Status of a Specific Service Instance 69 Example Displaying the MAC Addresses of All Secured Service Instances 69 Example Displaying the MAC Security Statistics of All Service...

Page 7: ...sses on a Service Instance 74 C H A P T E R 6 MAC Limiting 75 Restrictions and Usage Guidelines 75 Configuring MAC Limiting 75 Example of Enabling Per Bridge Domain MAC Limiting 76 Layer 2 Configuration Guide for Cisco NCS 4200 Series vii Contents ...

Page 8: ...Layer 2 Configuration Guide for Cisco NCS 4200 Series viii Contents ...

Page 9: ...rted only of EFPs service instances Ethernet flow points EVCs Internal loopback sessions configured must be within the 1 GB reserved bandwidth Internal loopback can be launched even when the physical interface port state is down Restrictions for Ethernet Data Plane Loopback Data plane loopback on routed port infrastructure is not supported Etype src mac and llc oui based loopback traffic filtering...

Page 10: ... updated for external Ethernet data plane loopback statistics For internal Ethernet data plane loopback ingress and egress interface statistics are not updated on interface where internal ELB is enabled RSP3 Module Etype VLAN COS src mac and llc oui based loopback traffic filtering is not supported Port based ELB is not supported Internal ELB is not supported when the physical interface port state...

Page 11: ...level QoS is bypassed except for shaper Port level shaper cannot be bypassed How to Configure Ethernet Data Plane Loopback Enabling Ethernet Data Plane Loopback enable configure terminal interface gigabitethernet 0 2 1 service instance 1 ethernet encapsulation dot1q 100 bridge domain 120 ethernet loopback permit external end Starting an Ethernet Data Plane Loopback Session To start a loopback for ...

Page 12: ...Ethernet0 4 1 no ip address negotiation auto service instance 10 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric bridge domain 10 ethernet loopback permit external For facility loopback end This example below shows how to start external facility loopback on the router A warning message is displayed Type yes to continue Router ethernet loopback start local interface gigabitEther...

Page 13: ...e Router show ethernet loopback permitted Interface SrvcInst Direction Dot1q Dot1ad s Second Dot1q s Te0 0 0 10 Internal 10 Gi0 4 1 10 External 10 This example shows all active sessions on the router Router show ethernet loopback active Loopback Session ID 1 Interface GigabitEthernet0 4 1 Service Instance 10 Direction External Time out sec none Status on Start time 10 31 09 539 IST Mon Aug 26 2013...

Page 14: ...Router ethernet loopback start local interface gi0 0 0 service instance 800 internal dot1q 800 destination mac address f078 1685 313f timeout none This is an intrusive loopback and the packets matched with the service will not be able to pass through Continue yes no yes Router show ethernet cfm maintenance points remote MPID Domain Name MacAddress IfSt PtSt Lvl Domain ID Ingress RDI MA Name Type I...

Page 15: ... Span and RSPAN Local Span Use a network analyzer to monitor interfaces RSPAN Before configuring RSPAN sessions you must first configure 1 Source interface 2 Destination BD MAC learning should be disabled using the mac address table limit rspan vlan bd maximum num action limit command before configuring the RSPAN VLAN RSPAN VLAN must be dedicated and entire Layer 2 devices in the network must be a...

Page 16: ...ridge Protocol Data Unit BPDU packets are not replicated When enabled local SPAN uses any previously entered configuration When you specify source interfaces and do not specify a traffic direction Tx Rx or both both is used by default The SPAN port does not work for Rx traffic on the pseudowire for interfaces when the SPAN port is in different ASIC of the RSP2 module Local SPAN destinations never ...

Page 17: ...standing Local SPAN and RSPAN Information About Local SPAN Session and RSPAN Session Local SPAN Session A local Switched Port Analyzer SPAN session is an association of a destination interface with a set of source interfaces You configure local SPAN sessions using parameters that specify the type of network traffic to monitor Local SPAN sessions allow you to monitor traffic on one or more interfac...

Page 18: ... Session An RSPAN source session is an association of source ports or Vlans across your network with an RSPAN Vlan The RSPAN Vlan BD on the router is the destination RSPAN session RSPAN Traffic RSPAN supports source ports and source Vlans in the source switch and destination as RSPAN Vlan BD The figure below shows the original traffic from the Host A to Host B via the source ports or Vlans on Host...

Page 19: ...wire associated with the RSPAN Vlan towards the destination side On the destination side a port belonging to the RSPAN Vlan or EVC BD is connected to sniffer device Destination Interface A destination interface also called a monitor interface is a switched interface to which SPAN or RSPAN sends packets for analysis You can have only one destination interface for SPAN sessions An interface configur...

Page 20: ...pported rewrite traffic for RSPAN on the EFP Trunk with the associated RSPAN bridge domains Table 2 Rewrite Traffic for RSPAN BD EFP Trunk associated with RSPAN BD Source Rewrite Operations Only Pop1 Pop1 Pop2 Push1 no rewrite The following tables lists the format of the spanned packets at the destination port for both Ingress and Egress RSPAN The tables lists the formats of untagged single and do...

Page 21: ...er tag packet RSPAN BD tag source outer tag source inner tag packet no rewrite pop1 tag pop2 tag push1 tag Table 4 Destination Port Ingress and Egress Spanned Traffic for TEFP RSPAN BD Egress Traffic Ingress Traffic RSPAN Vlan BD rewrite pop1 tag symmetric RSPAN Vlan BD rewrite pop1 tag symmetric Untagged traffic Source port rewrite RSPAN BD tag packet RSPAN BD tag packet no rewrite NA NA pop1 tag...

Page 22: ... for RSPAN BD with VPLS Pseudowire Egress Traffic Ingress Traffic RSPAN Vlan BD rewrite pop1 tag symmetric RSPAN Vlan BD rewrite pop1 tag symmetric Untagged traffic Source port rewrite RSPAN BD tag packet RSPAN BD tag packet no rewrite NA NA pop1 tag NA NA pop2 tag NA NA push1 tag RSPAN Vlan BD rewrite pop1 tag symmetric RSPAN Vlan BD rewrite pop1 tag symmetric Single traffic Source port rewrite R...

Page 23: ...slot subslot port rx tx both 4 destination interface interface_type slot subslot port 5 no shutdown DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Router configure terminal Step 1 Specifies the local SPAN session number and enters the local monitoring configuration mode monitor session session_number type local Example Router config monitor ses...

Page 24: ...ter config mon local destination interface gigabitethernet 0 2 4 interface_type Specifies the Gigabit Ethernet or Ten Gigabit Ethernet interface slot subslot port The location of the interface List of interfaces Range of interfaces Enables the local SPAN session no shutdown Example Router config mon local no shutdown Step 5 Removing Sources or Destinations from a Local SPAN Session To remove sourc...

Page 25: ...iguring RSPAN Source Session To configure the source for a RSPAN session SUMMARY STEPS 1 enable 2 configure terminal 3 monitor session RSPAN_source_session_number type rspan source 4 source single_interface slot subslot port single_vlan rx tx both 5 destination remote vlan rspan_vlan_ID 6 no shutdown 7 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example ...

Page 26: ...face Specifies the Gigabit Ethernet or Ten Gigabit Ethernet interface slot subslot port The location of the interface single_vlan Specifies the single VLAN both Optional Monitors the received and the transmitted traffic rx Optional Monitors the received traffic only tx Optional Monitors the transmitted traffic only Associates the RSPAN source session number session number with the RSPAN VLAN desti...

Page 27: ...p 3 RSPAN_destination_session_number Valid sessions are 1 to 80 Example Router config monitor session 1 type rspan destination rspan destination Enters the RSPAN destination session configuration mode Associates the RSPAN destination session number RSPAN VLAN source remote vlan rspan_vlan_ID Example Router config mon rspan dst source remote vlan2 Step 4 rspan_vlan_ID Specifies the Vlan ID Associat...

Page 28: ...tx 5 no monitor session session number 6 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Router enable Enter your password if prompted Enters global configuration mode configure terminal Example Router configure terminal Step 2 Configures an RSPAN source session number and enters RSPAN source session configuration mode for the session monitor session...

Page 29: ...nal Monitors the transmitted traffic only Exits monitor session no monitor session session number Example Router config no monitor session 1 Step 5 Exits configuration mode end Example Router config mon rspan src end Step 6 Sample Configurations The following sections contain configuration examples for SPAN and RSPAN Configuration Example Local SPAN The following example shows how to configure loc...

Page 30: ...config mon RSPAN src destination remote VLAN 100 Router config mon RSPAN src no shutdown Router config mon RSPAN src end Configuration Example RSPAN Destination The following example shows how to configure interface Gigabit Ethernet 0 0 1 as the destination for RSPAN session 2 Router config monitor session 2 type RSPAN destination Router config mon RSPAN dst source remote VLAN 100 Router config mo...

Page 31: ...outer show monitor session 3 Session 3 Type Remote Source Session Status Admin Enabled Source VLANs RX Only 20 MTU 1464 The following example shows the RSPAN destination session with Gigabit Ethernet interface 0 0 1 as destination Router show monitor session 2 Session 2 Type Remote Destination Session Status Admin Enabled Destination Ports Gi0 0 1 MTU 1464 Source RSPAN VLAN 100 Layer 2 Configurati...

Page 32: ...Layer 2 Configuration Guide for Cisco NCS 4200 Series 24 Configuring Switched Port Analyzer Verifying Local SPAN and RSPAN ...

Page 33: ...l Lists on EVCs page 25 Restrictions for Layer 2 Access Control Lists on EVCs page 25 Information About Layer 2 Access Control Lists on EVCs page 27 Configuration Examples for Layer 2 Access Control Lists on EVCs page 32 Prerequisites for Layer 2 Access Control Lists on EVCs Knowledge of how service instances must be configured Knowledge of extended MAC ACLs and how they must be configured Prerequ...

Page 34: ...nd assigning them to a member link Ethernet virtual connection services EVCS uses the EVCs and service instances to provide Layer 2 switched Ethernet services EVC status can be used by a customer edge CE device either to find an alternative path to the service provider network or in some cases to fall back to a backup path over Ethernet or over another alternative service such as ATM For informati...

Page 35: ...configuration mode configure terminal Example Device configure terminal Step 2 Defines an extended MAC ACL and enters mac access list control configuration mode mac access list extended name Example Device config mac access list extended test 12 acl Step 3 Allows forwarding of Layer 2 traffic if the conditions are matched Creates an ACE for the ACL permit src mac mask any dest mac mask any protoco...

Page 36: ...EPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Specifies the type and location of the interface to configure where interface type number Example Device config interface gigabitethernet 1 0 0 Step 3 type Specifies the type of th...

Page 37: ...er 2 ACL with ACEs on a Service Instance Perform this task to configure the same ACL with three ACEs and stop all other traffic on a service instance SUMMARY STEPS 1 enable 2 configure terminal 3 mac access list extended name 4 permit src mac mask any dest mac mask any 5 permit src mac mask any dest mac mask any 6 permit src mac mask any dest mac mask any 7 deny any any 8 exit 9 interface type num...

Page 38: ...raffic if the conditions are matched This creates an ACE for the ACL permit src mac mask any dest mac mask any Example Device config ext macl permit 00aa bbcc ddeb 0 0 0 any Step 5 Allows forwarding of Layer 2 traffic if the conditions are matched This creates an ACE for the ACL permit src mac mask any dest mac mask any Example Device config ext macl permit 00aa bbcc ddec 0 0 0 any Step 6 Prevents...

Page 39: ...to control incoming traffic on the interface mac access group access list name in Example Device config if srv mac access group test 12 acl in Step 12 Verifying the Presence of a Layer 2 ACL on a Service Instance Perform this task to verify that a Layer 2 ACL is present on an EVC This verification task can be used after an ACL has been configured to confirm its presence SUMMARY STEPS 1 enable 2 sh...

Page 40: ...ot allowed enable configure terminal mac access list extended mac 20 acl permit 00aa bbcc adec 0 0 0 any permit 00aa bbcc bdec 0 0 0 any permit 00aa bbcc cdec 0 0 0 any permit 00aa bbcc edec 0 0 0 any permit 00aa bbcc fdec 0 0 0 any deny any any exit interface gigabitethernet 10 0 0 service instance 100 ethernet encapsulation dot1q 100 mac access group mac 20 acl in Example Applying a Layer 2 ACL ...

Page 41: ...at a Layer 2 ACL is present on an EVC This verification task can be used after an ACL has been configured to confirm its presence SUMMARY STEPS 1 enable 2 show ethernet service instance id id interface type number detail DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Displays detailed information about Ether...

Page 42: ...he service instance Associated Interface Displays the EVC with which the service instance is associated Associated EVC Displays details of the associated VLAN ID CEVlans Displays whether the service instance is in an up or down state State Displays the number of packet frames allowed to pass on the service instance by the ACL L2 ACL permit count Displays the number of packet frames not permitted t...

Page 43: ...tended MAC access list mac acl permit any any vlan 10 Layer 2 Configuration Guide for Cisco NCS 4200 Series 35 Layer 2 Access Control Lists on EVCs Example Displaying the Details of Configured Layer 2 ACL ...

Page 44: ...Layer 2 Configuration Guide for Cisco NCS 4200 Series 36 Layer 2 Access Control Lists on EVCs Example Displaying the Details of Configured Layer 2 ACL ...

Page 45: ... component or element Prerequisites for MAC Address Security on Service Instances and EVC Port Channels page 37 Information About MAC Address Security on Service Instances and EVC Port Channels page 38 How to Configure MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels page 43 Configuration Examples for MAC Address Limiting on Service Instances and Bridge Domains and EV...

Page 46: ...ort Channel services is supported only on bridge domains over Ethernet and is not supported on xconnect services Note EVCS uses the concepts of EVCs and service instances Load balancing is done on an Ethernet flow point EFP basis where a number of EFPs exclusively pass traffic through member links MAC Security and MAC Addressing MAC security is enabled on a service instance by configuring the mac ...

Page 47: ...removing an existing address from the MAC address table The only candidate for removal is a dynamically learned address on the service instance If room cannot be made the configuration is rejected Default maximum address is 1 for a service instance Note If the address is already permitted on another service instance in the same bridge domain one of the following actions occur If the conflicting se...

Page 48: ...e bridge domain There are three possible sets of actions that can be taken in response to a violation 1 Shutdown The ingress frame is dropped The service instance on which the offending frame arrived is shut down The event and the response are logged to SYSLOG 2 Restrict The ingress frame is dropped The event and the response are logged to SYSLOG 3 Protect The ingress frame is dropped The ingress ...

Page 49: ...service instance The mac security aging staticand mac security aging sticky commands specify that the mac security aging timeaging time command must be applicable to permitted and sticky MAC addresses respectively In the case of permitted MAC addresses the absolute aging time is measured from the time the address is entered into the MAC address table for example when it is configured or whenever t...

Page 50: ...exceeded any MAC address that fails to get added is reported via an error message to the console the attempt to enable MAC security on the service instance fails and the already added permitted entries are backed out or removed The aging timer for all entries is updated according to the secure aging rules MAC Security Disabled on a Service Instance The existing MAC address table entries for this s...

Page 51: ...itted entries If not the command is rejected The MAC table is scanned for addresses that are attributable to this service instance and dynamically learned MAC addresses are removed when the new MAC address limit is less than the old MAC address limit Sticky Addresses Added or Removed on a Service Instance Existing dynamically learned MAC addresses remain unchanged All new addresses learned become ...

Page 52: ...reates a service instance on an interface and enters service instance configuration mode service instance id ethernet Example Device config if service instance 100 ethernet Step 4 Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance encapsulation dot1q vlan id Example Device config if srv encapsulation dot1q 100 Step 5 Bi...

Page 53: ...the main interface If you configure a physical port as part of a channel group you cannot configure EVCs under that physical port SUMMARY STEPS 1 enable 2 configure terminal 3 interface port channel channel group 4 service instance id ethernet 5 encapsulation dot1q vlan id 6 bridge domain bridge id 7 mac security 8 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable St...

Page 54: ...Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance encapsulation dot1q vlan id Example Device config if srv encapsulation dot1q 100 Step 5 Binds the service instance to a bridge domain instance where bridge id is the identifier for the bridge domain instance bridge domain bridge id Example Device config if srv bridge do...

Page 55: ...PS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Specifies the interface type and number and enters interface configuration mode interface type number Example Device config interface gigabitethernet2 0 1 Step 3 Creates a service i...

Page 56: ...ample Device config if srv mac security address permit a2aa aaaa aaab Step 8 Adds the specified MAC address as a permitted MAC address for the service instance mac security address permit mac address Example Device config if srv mac security address permit a2aa aaaa aaac Step 9 Adds the specified MAC address as a permitted MAC address for the service instance mac security address permit mac addres...

Page 57: ...7 mac security address deny mac address 8 mac security address deny mac address 9 mac security address deny mac address 10 mac security address deny mac address 11 mac security address deny mac address 12 mac security 13 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode conf...

Page 58: ... srv bridge domain 200 Step 6 Adds the specified MAC address as a denied MAC address for the service instance mac security address deny mac address Example Device config if srv mac security address deny a2aa aaaa aaaa Step 7 Adds the specified MAC address as a denied MAC address for the service instance mac security address deny mac address Example Device config if srv mac security address deny a2...

Page 59: ...cured MAC addresses allowed on a service instance This number includes addresses added as part of a permit list as well as dynamically learned MAC addresses If the upper limit is decreased all learned MAC entries are removed SUMMARY STEPS 1 enable 2 configure terminal 3 interface type number 4 service instance id ethernet 5 encapsulation dot1q vlan id 6 bridge domain bridge id 7 mac security maxim...

Page 60: ... service instance encapsulation dot1q vlan id Example Device config if srv encapsulation dot1q 100 Step 5 Binds the service instance to a bridge domain instance where bridge id is the identifier for the bridge domain instance bridge domain bridge id Example Device config if srv bridge domain 200 Step 6 Sets the maximum number of secure addresses permitted on the service instance Default value for ...

Page 61: ...er 4 service instance id ethernet 5 encapsulation dot1q vlan id 6 bridge domain bridge id 7 Do one of the following mac security violation restrict mac security violation protect 8 mac security 9 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example De...

Page 62: ...r the bridge domain instance bridge domain bridge id Example Device config if srv bridge domain 100 Step 6 Sets the violation mode for Type 1 and 2 violations to restrict Do one of the following Step 7 mac security violation restrict or mac security violation protect Sets the violation mode for Type 1 and 2 violations to protect Example Device config if srv mac security violation restrict If a MAC...

Page 63: ...ac security aging time aging time inactivity 8 mac security 9 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Specifies the interface type and number and enters interface configuration mode interface type number E...

Page 64: ...s The optional inactivity keyword specifies that the aging out of mac security aging time aging time inactivity Step 7 addresses is based on inactivity of the sending hosts as opposed to absolute aging Example Device config if srv mac security aging time 200 inactivity Enables MAC security on the service instance mac security Example Device config if srv mac security Step 8 Returns to user EXEC mo...

Page 65: ...enters interface configuration mode interface type number Example Device config interface gigabitethernet2 0 1 Step 3 Creates a service instance an instance of an EVC on an interface and enters service instance configuration mode service instance id ethernet Example Device config if service instance 100 ethernet Step 4 Defines the matching criteria to be used to map ingress dot1q frames on an inte...

Page 66: ...e Device config if srv mac security Step 8 Returns to user EXEC mode end Example Device config if srv end Step 9 Displaying the MAC Security Status of a Specific Service Instance Perform this task to display the MAC security status of a service instance SUMMARY STEPS 1 enable 2 show ethernet service instance id id interface type number mac security 3 end DETAILED STEPS Purpose Command or Action En...

Page 67: ...curity enabled SUMMARY STEPS 1 enable 2 show ethernet service instance mac security 3 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Displays all the service instances with MAC security enabled show ethernet service instance mac security Example Device show ethernet service instance mac security Step 2 R...

Page 68: ...he service instances with MAC security enabled on a specific bridge domain show bridge domain id mac security Example Device show bridge domain 100 mac security Step 2 Returns to user EXEC mode end Example Device end Step 3 Showing the MAC Addresses of All Secured Service Instances SUMMARY STEPS 1 enable 2 show ethernet service instance mac security address 3 show mac address table secure 4 end La...

Page 69: ...cure Example Device show mac address table secure Step 3 Returns to user EXEC mode end Example Device end Step 4 Showing the MAC Addresses of a Specific Service Instance SUMMARY STEPS 1 enable 2 show ethernet service instance id id interface type number mac security address 3 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your pa...

Page 70: ...e domain id mac security address 3 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Displays the secured addresses of all the service instances on a specified bridge domain show bridge domain id mac security address Example Device show bridge domain 100 mac security address Step 2 Returns to user EXEC mode...

Page 71: ...ervice instance show ethernet service instance id id interface type number mac security statistics Example Device show ethernet service instance id 100 Step 2 interface gigabitethernet1 1 mac security statistics Returns to user EXEC mode end Example Device end Step 3 Showing the MAC Security Statistics of All Service Instances on a Specific Bridge Domain Perform this task to display the MAC securi...

Page 72: ...eturns to user EXEC mode end Example Device end Step 3 Showing the Last Violation Recorded on Each Service Instance on a Specific Bridge Domain Perform this task to display the last violation recorded on each service instance on a specific bridge domain Service instances on which there have been no violations are excluded from the output SUMMARY STEPS 1 enable 2 show bridge domain bridge id mac se...

Page 73: ...ice end Step 3 Clearing All Dynamically Learned Secure MAC Addresses on a Service Instance Perform this task to clear all dynamically learned Secure MAC addresses on a service instance SUMMARY STEPS 1 enable 2 clear ethernet service instance id id interface type number mac table 3 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter yo...

Page 74: ... addresses on a bridge domain SUMMARY STEPS 1 enable 2 clear bridge domain bridge id mac table 3 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Clears all dynamically learned MAC addresses on the specified bridge domain clear bridge domain bridge id mac table Example Device clear bridge domain 100 mac ta...

Page 75: ...e config if srv mac security Device config if srv end Example Configuring a MAC Address Permit List The following example shows how to configure a MAC address permit list Device enable Device configure terminal Device config interface gigabitethernet 3 0 1 Device config if service instance 100 ethernet Device config if srv encapsulation dot1Q 100 Device config if srv bridge domain 100 Device confi...

Page 76: ...100 Device config if srv bridge domain 100 Device config if srv mac security maximum addresses 10 Device config if srv mac security Device config if srv end Example Configuring a MAC Address Violation Response Device enable Device configure terminal Device config interface gigabitethernet 3 0 1 Device config if service instance 100 ethernet Device config if srv encapsulation dot1Q 100 Device confi...

Page 77: ...111 1111 Reason Re learn attempt Total violation count 321 Example Displaying the MAC Security Status of a Specific Service Instance Device show ethernet service instance id 100 interface te0 0 3 mac security Bridge domain 100 MAC Security enabled yes Example Displaying the MAC Addresses of All Secured Service Instances Device show ethernet service instance mac security address Port Bridge domain ...

Page 78: ... security address Port MAC Address Type Gi0 0 3 ServInst 10 0000 00ac ef02 sticky Gi0 0 3 ServInst 10 0000 00ac ef03 sticky Gi0 0 3 ServInst 10 0000 00ac ef04 dynamic Gi0 0 3 ServInst 10 0000 00ac ef05 dynamic Gi0 0 3 ServInst 10 0000 00ac ef06 sticky Gi0 0 3 ServInst 10 0000 00ac ef07 dynamic Gi0 0 3 ServInst 10 0000 00ac ef08 dynamic Gi0 0 3 ServInst 10 0000 00ac ef09 dynamic Gi0 0 3 ServInst 10...

Page 79: ...Instances page 71 Information about Static MAC Address Support on Service Instances page 72 Configuring a Static MAC Address on a Service Instance page 72 Verifying Configured Static MAC Addresses on a Service Instance page 74 Prerequsites for Static MAC Address Support on Service Instances Knowledge of both port and bridge domain limitations Knowledge of service instances Restrictions for Static ...

Page 80: ...port on Service Instances Facilitates optimization of network resources Conserves MAC table resources when used for upstream traffic Configuring a Static MAC Address on a Service Instance Perform this task to manually configure a static MAC address on a service instance SUMMARY STEPS 1 enable 2 configure terminal 3 interface type number 4 service instance id ethernet evc id 5 encapsulation dot1q v...

Page 81: ...d vlan id native Example Router config if srv encapsulation dot1q 100 Step 5 Binds a service instance to a bridge domain instance bridge domain bridge id split horizon group group id Example Router config if srv bridge domain 100 Step 6 Configures a static MAC address mac static address mac addr auto learn Example Router config if srv mac static address 0000 bbbb cccc Step 7 Returns the CLI to pri...

Page 82: ...ed static MAC address on a service instance show bridge domain Example Verifying Configured Static MAC Addresses on a Service Instance show bridge domain The sample output for the show bridge domain command Router show bridge domain 10 mac static address Bridge Domain ID 10 Static MAC count System 1 bridge domain 1 Port Address Action Gi0 3 7 ServInst 10 aaa1 123c bc32 Layer 2 Configuration Guide ...

Page 83: ...ning on the bridge domain by setting the MAC limit to 0 Use the mac address table limit bdomain num maximum 0 action limit command to disable mac learning on the router Note When the total number of addresses in a bridge domain exceeds the maximum number the router takes a violation action You can enable the following actions Warning The router sends a syslog message and takes no further action Th...

Page 84: ...dress table limit bdomain id 5 copy running config startup config DETAILED STEPS Purpose Command or Action Enter global configuration mode configure terminal Step 1 Sets the specific limit and any optional actions to be imposed at the bridge domain level mac address table limit bdomain id maximum num action warning limit shutdown flood Step 2 The default maximum value is 500 Return to privileged E...

Page 85: ...00 action limit flood Router config end Router show mac address table limit bdomain 10 bdomain action flood maximum Total entries Current state 10 limit Disable 100 0 Within Limit Layer 2 Configuration Guide for Cisco NCS 4200 Series 77 MAC Limiting Example of Enabling Per Bridge Domain MAC Limiting ...

Page 86: ...Layer 2 Configuration Guide for Cisco NCS 4200 Series 78 MAC Limiting Example of Enabling Per Bridge Domain MAC Limiting ...

Reviews:

No comments

Related manuals for NCS 4200 Series

Panasonic KX-HTS Series Quick Start Manual preview
KX-HTS Series
Brand: Panasonic Pages: 2
Campbell NL115 Instruction Manual preview
NL115
Brand: Campbell Pages: 42
Sun Microsystems Ray 3 Plus Client Getting Started Manual preview
Ray 3 Plus Client
Brand: Sun Microsystems Pages: 6
Dahua DHI-NVR5224-24P-4KS2 Quick Start Manual preview
DHI-NVR5224-24P-4KS2
Brand: Dahua Pages: 24
Rain Bird E-3 Installation, Programming & Operation Manual preview
E-3
Brand: Rain Bird Pages: 17
Eaton Power Xpert Meter 2000 Instructions Manual preview
Power Xpert Meter 2000
Brand: Eaton Pages: 16
Eaton POW-R-COMMAND 1000 User Manual preview
POW-R-COMMAND 1000
Brand: Eaton Pages: 84
H3C SR6600 SPE-FWM Vxlan Command Reference preview
SR6600 SPE-FWM
Brand: H3C Pages: 45
H3C SR6600 SPE-FWM Manual preview
SR6600 SPE-FWM
Brand: H3C Pages: 80
H3C MSR 5600 Configuration Manual preview
MSR 5600
Brand: H3C Pages: 46
H3C MSR 5600 Comware 7 Vxlan Command Reference preview
MSR 5600
Brand: H3C Pages: 45
H3C MSR 3600 Quick Start preview
MSR 3600
Brand: H3C Pages: 4
H3C SR6600 SPE-FWM Fundamentals Configuration Manual preview
SR6600 SPE-FWM
Brand: H3C Pages: 184
Obihai OBi110 Quick Start Manual preview
OBi110
Brand: Obihai Pages: 2
Dahua Smart 1U Quick Start Manual preview
Smart 1U
Brand: Dahua Pages: 24
Edge-Core SDW100 Quick Start Manual preview
SDW100
Brand: Edge-Core Pages: 7
Funkwerk TR 200 aw/ bw Operating Instructions preview
TR 200 aw/ bw
Brand: Funkwerk Pages: 2
Allnet ALL1682504 Quick Installation preview
ALL1682504
Brand: Allnet Pages: 12

Brands by name

Popular brands

Load more brands