Cisco NCS 4200 Series Скачать руководство пользователя страница 33 | Manualshive

Страница: 33 / 86

background image

C H A P T E R

3

Layer 2 Access Control Lists on EVCs

The ability to filter packets in a modular and scalable way is important for both network security and network
management. Access Control Lists (ACLs) provide the capability to filter packets at a fine granularity. In
Metro Ethernet networks, ACLs are directly applied on Ethernet virtual circuits (EVCs).

Layer 2 Access Control Lists on EVCs is a security feature that allows packet filtering based on MAC
addresses. This module describes how to implement ACLs on EVCs.

•

Prerequisites for Layer 2 Access Control Lists on EVCs, page 25

•

Prerequisites for Layer 2 Access Control Lists on EVCs, page 25

•

Restrictions for Layer 2 Access Control Lists on EVCs, page 25

•

Information About Layer 2 Access Control Lists on EVCs, page 27

•

Configuration Examples for Layer 2 Access Control Lists on EVCs, page 32

Prerequisites for Layer 2 Access Control Lists on EVCs

•

Knowledge of how service instances must be configured.

•

Knowledge of extended MAC ACLs and how they must be configured.

Prerequisites for Layer 2 Access Control Lists on EVCs

•

Knowledge of how service instances must be configured.

•

Knowledge of extended MAC ACLs and how they must be configured.

Restrictions for Layer 2 Access Control Lists on EVCs

•

A maximum of 512 access control entries (ACEs) are allowed for a given ACL, with the limitation that
it does not exceed the maximum tcam entries.

Layer 2 Configuration Guide for Cisco NCS 4200 Series

25

«
...
31
32
33
34
35
...
»

Содержание NCS 4200 Series

Страница 1: ...on Guide for Cisco NCS 4200 Series First Published 2016 07 29 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Страница 2: ... Cisco Systems Inc All rights reserved ...

Страница 3: ...ration Examples 4 Example Configuring External Loopback 4 Example Configuring Terminal Loopback 4 Verifying Ethernet Data Plane Loopback 5 Example Verifying Ethernet Dataplane Loopback 5 Use Cases or Deployment Scenarios 6 C H A P T E R 2 Configuring Switched Port Analyzer 7 Prerequisites for Configuring Local Span and RSPAN 7 Restrictions for Local Span and RSPAN 8 Understanding Local SPAN and RS...

Страница 4: ...ts on EVCs 25 EVCs 26 Relationship Between ACLs and Ethernet Infrastructure 26 Information About Layer 2 Access Control Lists on EVCs 27 Creating a Layer 2 ACL 27 Applying a Layer 2 ACL to a Service Instance 28 Configuring a Layer 2 ACL with ACEs on a Service Instance 29 Verifying the Presence of a Layer 2 ACL on a Service Instance 31 Configuration Examples for Layer 2 Access Control Lists on EVCs...

Страница 5: ...ard OIR Inserted 43 MAC Address Limit Decreased 43 Sticky Addresses Added or Removed on a Service Instance 43 How to Configure MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels 43 Enabling MAC Security on a Service Instance 43 Enabling MAC Security on an EVC Port Channel 45 Configuring a MAC Address Permit List 47 Configuring a MAC Address Deny List 49 Configuring MAC ...

Страница 6: ...le Configuring a Sticky MAC Address 69 Example Displaying the MAC Addresses on a Specific Secure Service Instance 69 Example Displaying the Last Violation on a Specific Service Instance 69 Example Displaying the MAC Security Status of a Specific Service Instance 69 Example Displaying the MAC Addresses of All Secured Service Instances 69 Example Displaying the MAC Security Statistics of All Service...

Страница 7: ...sses on a Service Instance 74 C H A P T E R 6 MAC Limiting 75 Restrictions and Usage Guidelines 75 Configuring MAC Limiting 75 Example of Enabling Per Bridge Domain MAC Limiting 76 Layer 2 Configuration Guide for Cisco NCS 4200 Series vii Contents ...

Страница 8: ...Layer 2 Configuration Guide for Cisco NCS 4200 Series viii Contents ...

Страница 9: ...rted only of EFPs service instances Ethernet flow points EVCs Internal loopback sessions configured must be within the 1 GB reserved bandwidth Internal loopback can be launched even when the physical interface port state is down Restrictions for Ethernet Data Plane Loopback Data plane loopback on routed port infrastructure is not supported Etype src mac and llc oui based loopback traffic filtering...

Страница 10: ... updated for external Ethernet data plane loopback statistics For internal Ethernet data plane loopback ingress and egress interface statistics are not updated on interface where internal ELB is enabled RSP3 Module Etype VLAN COS src mac and llc oui based loopback traffic filtering is not supported Port based ELB is not supported Internal ELB is not supported when the physical interface port state...

Страница 11: ...level QoS is bypassed except for shaper Port level shaper cannot be bypassed How to Configure Ethernet Data Plane Loopback Enabling Ethernet Data Plane Loopback enable configure terminal interface gigabitethernet 0 2 1 service instance 1 ethernet encapsulation dot1q 100 bridge domain 120 ethernet loopback permit external end Starting an Ethernet Data Plane Loopback Session To start a loopback for ...

Страница 12: ...Ethernet0 4 1 no ip address negotiation auto service instance 10 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric bridge domain 10 ethernet loopback permit external For facility loopback end This example below shows how to start external facility loopback on the router A warning message is displayed Type yes to continue Router ethernet loopback start local interface gigabitEther...

Страница 13: ...e Router show ethernet loopback permitted Interface SrvcInst Direction Dot1q Dot1ad s Second Dot1q s Te0 0 0 10 Internal 10 Gi0 4 1 10 External 10 This example shows all active sessions on the router Router show ethernet loopback active Loopback Session ID 1 Interface GigabitEthernet0 4 1 Service Instance 10 Direction External Time out sec none Status on Start time 10 31 09 539 IST Mon Aug 26 2013...

Страница 14: ...Router ethernet loopback start local interface gi0 0 0 service instance 800 internal dot1q 800 destination mac address f078 1685 313f timeout none This is an intrusive loopback and the packets matched with the service will not be able to pass through Continue yes no yes Router show ethernet cfm maintenance points remote MPID Domain Name MacAddress IfSt PtSt Lvl Domain ID Ingress RDI MA Name Type I...

Страница 15: ... Span and RSPAN Local Span Use a network analyzer to monitor interfaces RSPAN Before configuring RSPAN sessions you must first configure 1 Source interface 2 Destination BD MAC learning should be disabled using the mac address table limit rspan vlan bd maximum num action limit command before configuring the RSPAN VLAN RSPAN VLAN must be dedicated and entire Layer 2 devices in the network must be a...

Страница 16: ...ridge Protocol Data Unit BPDU packets are not replicated When enabled local SPAN uses any previously entered configuration When you specify source interfaces and do not specify a traffic direction Tx Rx or both both is used by default The SPAN port does not work for Rx traffic on the pseudowire for interfaces when the SPAN port is in different ASIC of the RSP2 module Local SPAN destinations never ...

Страница 17: ...standing Local SPAN and RSPAN Information About Local SPAN Session and RSPAN Session Local SPAN Session A local Switched Port Analyzer SPAN session is an association of a destination interface with a set of source interfaces You configure local SPAN sessions using parameters that specify the type of network traffic to monitor Local SPAN sessions allow you to monitor traffic on one or more interfac...

Страница 18: ... Session An RSPAN source session is an association of source ports or Vlans across your network with an RSPAN Vlan The RSPAN Vlan BD on the router is the destination RSPAN session RSPAN Traffic RSPAN supports source ports and source Vlans in the source switch and destination as RSPAN Vlan BD The figure below shows the original traffic from the Host A to Host B via the source ports or Vlans on Host...

Страница 19: ...wire associated with the RSPAN Vlan towards the destination side On the destination side a port belonging to the RSPAN Vlan or EVC BD is connected to sniffer device Destination Interface A destination interface also called a monitor interface is a switched interface to which SPAN or RSPAN sends packets for analysis You can have only one destination interface for SPAN sessions An interface configur...

Страница 20: ...pported rewrite traffic for RSPAN on the EFP Trunk with the associated RSPAN bridge domains Table 2 Rewrite Traffic for RSPAN BD EFP Trunk associated with RSPAN BD Source Rewrite Operations Only Pop1 Pop1 Pop2 Push1 no rewrite The following tables lists the format of the spanned packets at the destination port for both Ingress and Egress RSPAN The tables lists the formats of untagged single and do...

Страница 21: ...er tag packet RSPAN BD tag source outer tag source inner tag packet no rewrite pop1 tag pop2 tag push1 tag Table 4 Destination Port Ingress and Egress Spanned Traffic for TEFP RSPAN BD Egress Traffic Ingress Traffic RSPAN Vlan BD rewrite pop1 tag symmetric RSPAN Vlan BD rewrite pop1 tag symmetric Untagged traffic Source port rewrite RSPAN BD tag packet RSPAN BD tag packet no rewrite NA NA pop1 tag...

Страница 22: ... for RSPAN BD with VPLS Pseudowire Egress Traffic Ingress Traffic RSPAN Vlan BD rewrite pop1 tag symmetric RSPAN Vlan BD rewrite pop1 tag symmetric Untagged traffic Source port rewrite RSPAN BD tag packet RSPAN BD tag packet no rewrite NA NA pop1 tag NA NA pop2 tag NA NA push1 tag RSPAN Vlan BD rewrite pop1 tag symmetric RSPAN Vlan BD rewrite pop1 tag symmetric Single traffic Source port rewrite R...

Страница 23: ...slot subslot port rx tx both 4 destination interface interface_type slot subslot port 5 no shutdown DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Router configure terminal Step 1 Specifies the local SPAN session number and enters the local monitoring configuration mode monitor session session_number type local Example Router config monitor ses...

Страница 24: ...ter config mon local destination interface gigabitethernet 0 2 4 interface_type Specifies the Gigabit Ethernet or Ten Gigabit Ethernet interface slot subslot port The location of the interface List of interfaces Range of interfaces Enables the local SPAN session no shutdown Example Router config mon local no shutdown Step 5 Removing Sources or Destinations from a Local SPAN Session To remove sourc...

Страница 25: ...iguring RSPAN Source Session To configure the source for a RSPAN session SUMMARY STEPS 1 enable 2 configure terminal 3 monitor session RSPAN_source_session_number type rspan source 4 source single_interface slot subslot port single_vlan rx tx both 5 destination remote vlan rspan_vlan_ID 6 no shutdown 7 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example ...

Страница 26: ...face Specifies the Gigabit Ethernet or Ten Gigabit Ethernet interface slot subslot port The location of the interface single_vlan Specifies the single VLAN both Optional Monitors the received and the transmitted traffic rx Optional Monitors the received traffic only tx Optional Monitors the transmitted traffic only Associates the RSPAN source session number session number with the RSPAN VLAN desti...

Страница 27: ...p 3 RSPAN_destination_session_number Valid sessions are 1 to 80 Example Router config monitor session 1 type rspan destination rspan destination Enters the RSPAN destination session configuration mode Associates the RSPAN destination session number RSPAN VLAN source remote vlan rspan_vlan_ID Example Router config mon rspan dst source remote vlan2 Step 4 rspan_vlan_ID Specifies the Vlan ID Associat...

Страница 28: ...tx 5 no monitor session session number 6 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Router enable Enter your password if prompted Enters global configuration mode configure terminal Example Router configure terminal Step 2 Configures an RSPAN source session number and enters RSPAN source session configuration mode for the session monitor session...

Страница 29: ...nal Monitors the transmitted traffic only Exits monitor session no monitor session session number Example Router config no monitor session 1 Step 5 Exits configuration mode end Example Router config mon rspan src end Step 6 Sample Configurations The following sections contain configuration examples for SPAN and RSPAN Configuration Example Local SPAN The following example shows how to configure loc...

Страница 30: ...config mon RSPAN src destination remote VLAN 100 Router config mon RSPAN src no shutdown Router config mon RSPAN src end Configuration Example RSPAN Destination The following example shows how to configure interface Gigabit Ethernet 0 0 1 as the destination for RSPAN session 2 Router config monitor session 2 type RSPAN destination Router config mon RSPAN dst source remote VLAN 100 Router config mo...

Страница 31: ...outer show monitor session 3 Session 3 Type Remote Source Session Status Admin Enabled Source VLANs RX Only 20 MTU 1464 The following example shows the RSPAN destination session with Gigabit Ethernet interface 0 0 1 as destination Router show monitor session 2 Session 2 Type Remote Destination Session Status Admin Enabled Destination Ports Gi0 0 1 MTU 1464 Source RSPAN VLAN 100 Layer 2 Configurati...

Страница 32: ...Layer 2 Configuration Guide for Cisco NCS 4200 Series 24 Configuring Switched Port Analyzer Verifying Local SPAN and RSPAN ...

Страница 33: ...l Lists on EVCs page 25 Restrictions for Layer 2 Access Control Lists on EVCs page 25 Information About Layer 2 Access Control Lists on EVCs page 27 Configuration Examples for Layer 2 Access Control Lists on EVCs page 32 Prerequisites for Layer 2 Access Control Lists on EVCs Knowledge of how service instances must be configured Knowledge of extended MAC ACLs and how they must be configured Prerequ...

Страница 34: ...nd assigning them to a member link Ethernet virtual connection services EVCS uses the EVCs and service instances to provide Layer 2 switched Ethernet services EVC status can be used by a customer edge CE device either to find an alternative path to the service provider network or in some cases to fall back to a backup path over Ethernet or over another alternative service such as ATM For informati...

Страница 35: ...configuration mode configure terminal Example Device configure terminal Step 2 Defines an extended MAC ACL and enters mac access list control configuration mode mac access list extended name Example Device config mac access list extended test 12 acl Step 3 Allows forwarding of Layer 2 traffic if the conditions are matched Creates an ACE for the ACL permit src mac mask any dest mac mask any protoco...

Страница 36: ...EPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Specifies the type and location of the interface to configure where interface type number Example Device config interface gigabitethernet 1 0 0 Step 3 type Specifies the type of th...

Страница 37: ...er 2 ACL with ACEs on a Service Instance Perform this task to configure the same ACL with three ACEs and stop all other traffic on a service instance SUMMARY STEPS 1 enable 2 configure terminal 3 mac access list extended name 4 permit src mac mask any dest mac mask any 5 permit src mac mask any dest mac mask any 6 permit src mac mask any dest mac mask any 7 deny any any 8 exit 9 interface type num...

Страница 38: ...raffic if the conditions are matched This creates an ACE for the ACL permit src mac mask any dest mac mask any Example Device config ext macl permit 00aa bbcc ddeb 0 0 0 any Step 5 Allows forwarding of Layer 2 traffic if the conditions are matched This creates an ACE for the ACL permit src mac mask any dest mac mask any Example Device config ext macl permit 00aa bbcc ddec 0 0 0 any Step 6 Prevents...

Страница 39: ...to control incoming traffic on the interface mac access group access list name in Example Device config if srv mac access group test 12 acl in Step 12 Verifying the Presence of a Layer 2 ACL on a Service Instance Perform this task to verify that a Layer 2 ACL is present on an EVC This verification task can be used after an ACL has been configured to confirm its presence SUMMARY STEPS 1 enable 2 sh...

Страница 40: ...ot allowed enable configure terminal mac access list extended mac 20 acl permit 00aa bbcc adec 0 0 0 any permit 00aa bbcc bdec 0 0 0 any permit 00aa bbcc cdec 0 0 0 any permit 00aa bbcc edec 0 0 0 any permit 00aa bbcc fdec 0 0 0 any deny any any exit interface gigabitethernet 10 0 0 service instance 100 ethernet encapsulation dot1q 100 mac access group mac 20 acl in Example Applying a Layer 2 ACL ...

Страница 41: ...at a Layer 2 ACL is present on an EVC This verification task can be used after an ACL has been configured to confirm its presence SUMMARY STEPS 1 enable 2 show ethernet service instance id id interface type number detail DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Displays detailed information about Ether...

Страница 42: ...he service instance Associated Interface Displays the EVC with which the service instance is associated Associated EVC Displays details of the associated VLAN ID CEVlans Displays whether the service instance is in an up or down state State Displays the number of packet frames allowed to pass on the service instance by the ACL L2 ACL permit count Displays the number of packet frames not permitted t...

Страница 43: ...tended MAC access list mac acl permit any any vlan 10 Layer 2 Configuration Guide for Cisco NCS 4200 Series 35 Layer 2 Access Control Lists on EVCs Example Displaying the Details of Configured Layer 2 ACL ...

Страница 44: ...Layer 2 Configuration Guide for Cisco NCS 4200 Series 36 Layer 2 Access Control Lists on EVCs Example Displaying the Details of Configured Layer 2 ACL ...

Страница 45: ... component or element Prerequisites for MAC Address Security on Service Instances and EVC Port Channels page 37 Information About MAC Address Security on Service Instances and EVC Port Channels page 38 How to Configure MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels page 43 Configuration Examples for MAC Address Limiting on Service Instances and Bridge Domains and EV...

Страница 46: ...ort Channel services is supported only on bridge domains over Ethernet and is not supported on xconnect services Note EVCS uses the concepts of EVCs and service instances Load balancing is done on an Ethernet flow point EFP basis where a number of EFPs exclusively pass traffic through member links MAC Security and MAC Addressing MAC security is enabled on a service instance by configuring the mac ...

Страница 47: ...removing an existing address from the MAC address table The only candidate for removal is a dynamically learned address on the service instance If room cannot be made the configuration is rejected Default maximum address is 1 for a service instance Note If the address is already permitted on another service instance in the same bridge domain one of the following actions occur If the conflicting se...

Страница 48: ...e bridge domain There are three possible sets of actions that can be taken in response to a violation 1 Shutdown The ingress frame is dropped The service instance on which the offending frame arrived is shut down The event and the response are logged to SYSLOG 2 Restrict The ingress frame is dropped The event and the response are logged to SYSLOG 3 Protect The ingress frame is dropped The ingress ...

Страница 49: ...service instance The mac security aging staticand mac security aging sticky commands specify that the mac security aging timeaging time command must be applicable to permitted and sticky MAC addresses respectively In the case of permitted MAC addresses the absolute aging time is measured from the time the address is entered into the MAC address table for example when it is configured or whenever t...

Страница 50: ...exceeded any MAC address that fails to get added is reported via an error message to the console the attempt to enable MAC security on the service instance fails and the already added permitted entries are backed out or removed The aging timer for all entries is updated according to the secure aging rules MAC Security Disabled on a Service Instance The existing MAC address table entries for this s...

Страница 51: ...itted entries If not the command is rejected The MAC table is scanned for addresses that are attributable to this service instance and dynamically learned MAC addresses are removed when the new MAC address limit is less than the old MAC address limit Sticky Addresses Added or Removed on a Service Instance Existing dynamically learned MAC addresses remain unchanged All new addresses learned become ...

Страница 52: ...reates a service instance on an interface and enters service instance configuration mode service instance id ethernet Example Device config if service instance 100 ethernet Step 4 Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance encapsulation dot1q vlan id Example Device config if srv encapsulation dot1q 100 Step 5 Bi...

Страница 53: ...the main interface If you configure a physical port as part of a channel group you cannot configure EVCs under that physical port SUMMARY STEPS 1 enable 2 configure terminal 3 interface port channel channel group 4 service instance id ethernet 5 encapsulation dot1q vlan id 6 bridge domain bridge id 7 mac security 8 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable St...

Страница 54: ...Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance encapsulation dot1q vlan id Example Device config if srv encapsulation dot1q 100 Step 5 Binds the service instance to a bridge domain instance where bridge id is the identifier for the bridge domain instance bridge domain bridge id Example Device config if srv bridge do...

Страница 55: ...PS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Specifies the interface type and number and enters interface configuration mode interface type number Example Device config interface gigabitethernet2 0 1 Step 3 Creates a service i...

Страница 56: ...ample Device config if srv mac security address permit a2aa aaaa aaab Step 8 Adds the specified MAC address as a permitted MAC address for the service instance mac security address permit mac address Example Device config if srv mac security address permit a2aa aaaa aaac Step 9 Adds the specified MAC address as a permitted MAC address for the service instance mac security address permit mac addres...

Страница 57: ...7 mac security address deny mac address 8 mac security address deny mac address 9 mac security address deny mac address 10 mac security address deny mac address 11 mac security address deny mac address 12 mac security 13 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode conf...

Страница 58: ... srv bridge domain 200 Step 6 Adds the specified MAC address as a denied MAC address for the service instance mac security address deny mac address Example Device config if srv mac security address deny a2aa aaaa aaaa Step 7 Adds the specified MAC address as a denied MAC address for the service instance mac security address deny mac address Example Device config if srv mac security address deny a2...

Страница 59: ...cured MAC addresses allowed on a service instance This number includes addresses added as part of a permit list as well as dynamically learned MAC addresses If the upper limit is decreased all learned MAC entries are removed SUMMARY STEPS 1 enable 2 configure terminal 3 interface type number 4 service instance id ethernet 5 encapsulation dot1q vlan id 6 bridge domain bridge id 7 mac security maxim...

Страница 60: ... service instance encapsulation dot1q vlan id Example Device config if srv encapsulation dot1q 100 Step 5 Binds the service instance to a bridge domain instance where bridge id is the identifier for the bridge domain instance bridge domain bridge id Example Device config if srv bridge domain 200 Step 6 Sets the maximum number of secure addresses permitted on the service instance Default value for ...

Страница 61: ...er 4 service instance id ethernet 5 encapsulation dot1q vlan id 6 bridge domain bridge id 7 Do one of the following mac security violation restrict mac security violation protect 8 mac security 9 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example De...

Страница 62: ...r the bridge domain instance bridge domain bridge id Example Device config if srv bridge domain 100 Step 6 Sets the violation mode for Type 1 and 2 violations to restrict Do one of the following Step 7 mac security violation restrict or mac security violation protect Sets the violation mode for Type 1 and 2 violations to protect Example Device config if srv mac security violation restrict If a MAC...

Страница 63: ...ac security aging time aging time inactivity 8 mac security 9 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Specifies the interface type and number and enters interface configuration mode interface type number E...

Страница 64: ...s The optional inactivity keyword specifies that the aging out of mac security aging time aging time inactivity Step 7 addresses is based on inactivity of the sending hosts as opposed to absolute aging Example Device config if srv mac security aging time 200 inactivity Enables MAC security on the service instance mac security Example Device config if srv mac security Step 8 Returns to user EXEC mo...

Страница 65: ...enters interface configuration mode interface type number Example Device config interface gigabitethernet2 0 1 Step 3 Creates a service instance an instance of an EVC on an interface and enters service instance configuration mode service instance id ethernet Example Device config if service instance 100 ethernet Step 4 Defines the matching criteria to be used to map ingress dot1q frames on an inte...

Страница 66: ...e Device config if srv mac security Step 8 Returns to user EXEC mode end Example Device config if srv end Step 9 Displaying the MAC Security Status of a Specific Service Instance Perform this task to display the MAC security status of a service instance SUMMARY STEPS 1 enable 2 show ethernet service instance id id interface type number mac security 3 end DETAILED STEPS Purpose Command or Action En...

Страница 67: ...curity enabled SUMMARY STEPS 1 enable 2 show ethernet service instance mac security 3 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Displays all the service instances with MAC security enabled show ethernet service instance mac security Example Device show ethernet service instance mac security Step 2 R...

Страница 68: ...he service instances with MAC security enabled on a specific bridge domain show bridge domain id mac security Example Device show bridge domain 100 mac security Step 2 Returns to user EXEC mode end Example Device end Step 3 Showing the MAC Addresses of All Secured Service Instances SUMMARY STEPS 1 enable 2 show ethernet service instance mac security address 3 show mac address table secure 4 end La...

Страница 69: ...cure Example Device show mac address table secure Step 3 Returns to user EXEC mode end Example Device end Step 4 Showing the MAC Addresses of a Specific Service Instance SUMMARY STEPS 1 enable 2 show ethernet service instance id id interface type number mac security address 3 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your pa...

Страница 70: ...e domain id mac security address 3 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Displays the secured addresses of all the service instances on a specified bridge domain show bridge domain id mac security address Example Device show bridge domain 100 mac security address Step 2 Returns to user EXEC mode...

Страница 71: ...ervice instance show ethernet service instance id id interface type number mac security statistics Example Device show ethernet service instance id 100 Step 2 interface gigabitethernet1 1 mac security statistics Returns to user EXEC mode end Example Device end Step 3 Showing the MAC Security Statistics of All Service Instances on a Specific Bridge Domain Perform this task to display the MAC securi...

Страница 72: ...eturns to user EXEC mode end Example Device end Step 3 Showing the Last Violation Recorded on Each Service Instance on a Specific Bridge Domain Perform this task to display the last violation recorded on each service instance on a specific bridge domain Service instances on which there have been no violations are excluded from the output SUMMARY STEPS 1 enable 2 show bridge domain bridge id mac se...

Страница 73: ...ice end Step 3 Clearing All Dynamically Learned Secure MAC Addresses on a Service Instance Perform this task to clear all dynamically learned Secure MAC addresses on a service instance SUMMARY STEPS 1 enable 2 clear ethernet service instance id id interface type number mac table 3 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter yo...

Страница 74: ... addresses on a bridge domain SUMMARY STEPS 1 enable 2 clear bridge domain bridge id mac table 3 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Clears all dynamically learned MAC addresses on the specified bridge domain clear bridge domain bridge id mac table Example Device clear bridge domain 100 mac ta...

Страница 75: ...e config if srv mac security Device config if srv end Example Configuring a MAC Address Permit List The following example shows how to configure a MAC address permit list Device enable Device configure terminal Device config interface gigabitethernet 3 0 1 Device config if service instance 100 ethernet Device config if srv encapsulation dot1Q 100 Device config if srv bridge domain 100 Device confi...

Страница 76: ...100 Device config if srv bridge domain 100 Device config if srv mac security maximum addresses 10 Device config if srv mac security Device config if srv end Example Configuring a MAC Address Violation Response Device enable Device configure terminal Device config interface gigabitethernet 3 0 1 Device config if service instance 100 ethernet Device config if srv encapsulation dot1Q 100 Device confi...

Страница 77: ...111 1111 Reason Re learn attempt Total violation count 321 Example Displaying the MAC Security Status of a Specific Service Instance Device show ethernet service instance id 100 interface te0 0 3 mac security Bridge domain 100 MAC Security enabled yes Example Displaying the MAC Addresses of All Secured Service Instances Device show ethernet service instance mac security address Port Bridge domain ...

Страница 78: ... security address Port MAC Address Type Gi0 0 3 ServInst 10 0000 00ac ef02 sticky Gi0 0 3 ServInst 10 0000 00ac ef03 sticky Gi0 0 3 ServInst 10 0000 00ac ef04 dynamic Gi0 0 3 ServInst 10 0000 00ac ef05 dynamic Gi0 0 3 ServInst 10 0000 00ac ef06 sticky Gi0 0 3 ServInst 10 0000 00ac ef07 dynamic Gi0 0 3 ServInst 10 0000 00ac ef08 dynamic Gi0 0 3 ServInst 10 0000 00ac ef09 dynamic Gi0 0 3 ServInst 10...

Страница 79: ...Instances page 71 Information about Static MAC Address Support on Service Instances page 72 Configuring a Static MAC Address on a Service Instance page 72 Verifying Configured Static MAC Addresses on a Service Instance page 74 Prerequsites for Static MAC Address Support on Service Instances Knowledge of both port and bridge domain limitations Knowledge of service instances Restrictions for Static ...

Страница 80: ...port on Service Instances Facilitates optimization of network resources Conserves MAC table resources when used for upstream traffic Configuring a Static MAC Address on a Service Instance Perform this task to manually configure a static MAC address on a service instance SUMMARY STEPS 1 enable 2 configure terminal 3 interface type number 4 service instance id ethernet evc id 5 encapsulation dot1q v...

Страница 81: ...d vlan id native Example Router config if srv encapsulation dot1q 100 Step 5 Binds a service instance to a bridge domain instance bridge domain bridge id split horizon group group id Example Router config if srv bridge domain 100 Step 6 Configures a static MAC address mac static address mac addr auto learn Example Router config if srv mac static address 0000 bbbb cccc Step 7 Returns the CLI to pri...

Страница 82: ...ed static MAC address on a service instance show bridge domain Example Verifying Configured Static MAC Addresses on a Service Instance show bridge domain The sample output for the show bridge domain command Router show bridge domain 10 mac static address Bridge Domain ID 10 Static MAC count System 1 bridge domain 1 Port Address Action Gi0 3 7 ServInst 10 aaa1 123c bc32 Layer 2 Configuration Guide ...

Страница 83: ...ning on the bridge domain by setting the MAC limit to 0 Use the mac address table limit bdomain num maximum 0 action limit command to disable mac learning on the router Note When the total number of addresses in a bridge domain exceeds the maximum number the router takes a violation action You can enable the following actions Warning The router sends a syslog message and takes no further action Th...

Страница 84: ...dress table limit bdomain id 5 copy running config startup config DETAILED STEPS Purpose Command or Action Enter global configuration mode configure terminal Step 1 Sets the specific limit and any optional actions to be imposed at the bridge domain level mac address table limit bdomain id maximum num action warning limit shutdown flood Step 2 The default maximum value is 500 Return to privileged E...

Страница 85: ...00 action limit flood Router config end Router show mac address table limit bdomain 10 bdomain action flood maximum Total entries Current state 10 limit Disable 100 0 Within Limit Layer 2 Configuration Guide for Cisco NCS 4200 Series 77 MAC Limiting Example of Enabling Per Bridge Domain MAC Limiting ...

Страница 86: ...Layer 2 Configuration Guide for Cisco NCS 4200 Series 78 MAC Limiting Example of Enabling Per Bridge Domain MAC Limiting ...

Отзывы:

Нет отзывов

Похожие инструкции для NCS 4200 Series

Univerge SV8100

Бренд: NEC Страницы: 44

8 Port 10/100Mbit/s Ethernet Smart Switch with Fibre Uplink

Бренд: Tyco Electronics Страницы: 18

Бренд: Paradyne Страницы: 2

Бренд: Paradyne Страницы: 20

Бренд: Paradyne Страницы: 2

Бренд: Zhone Страницы: 2

COMSPHERE 6800 Series

Бренд: Paradyne Страницы: 155

COMSPHERE 6800 Series

Бренд: Paradyne Страницы: 44

Бренд: Observint Страницы: 117

PowerBeam AC Gen2

Бренд: Ubiquiti Страницы: 22

SINUS H PROFInet

Бренд: Enertronica Santerno Страницы: 34

Бренд: Patton electronics Страницы: 12

Бренд: ZyXEL Communications Страницы: 244

Бренд: eWON Страницы: 34

Бренд: X-Micro Страницы: 49

Бренд: Airlink101 Страницы: 13

Бренд: Ozenda Страницы: 116

Бренд: Intel Страницы: 958

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды