Mac Address Deny List - Cisco ASR 920 Series Configuration Manual Ethernet Router
Hide thumbs
Also See for ASR 920 Series:
- Installing manual (74 pages) ,
- Configuration manual (68 pages) ,
- Configuration (52 pages)
Table of Contents
Advertisement
MAC Address Deny List
• If the address is already permitted on another service instance in the same bridge domain, one of the
MAC Address Deny List
A deny list is a set of MAC addresses that are not permitted on a service instance. An attempt to learn a denied
MAC address will fail. On a service instance that is a member of a bridge domain, the operator is permitted
to configure one or more denied MAC addresses. The arrival of a frame with a source MAC address that is
part of a deny list will trigger a violation response.
Before a denied address can be configured, the following test is performed:
• If the address is already configured as a permitted address on the specific service instance or if the
In all other cases, the configuration of the denied address is accepted. Typical cases include:
• The address is configured as a permitted address on another service instance in the same bridge domain,
• The address is present in the MAC table of the bridge domain as a dynamically learned address on the
MAC Address Limiting and Learning
An upper limit for the number of secured MAC addresses allowed on a bridge domain service instance can
be configured. This limit includes addresses added as part of a permit list and dynamically learned MAC
addresses.
Before an unknown MAC address is learned, a series of checks are run against a set of configured and
operational constraints. If any of these checks fails, the address is not learned, and a configured violation
response is triggered.
Carrier Ethernet Configuration Guide (Cisco ASR 920 Series)
84
Configuring MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels
the MAC address table. The only candidate for removal is a dynamically learned address on the service
instance. If sufficient room cannot be made, the configuration is rejected. If the acceptance of this address
would increase the secure address count on the bridge domain beyond the maximum number allowed,
an attempt is made to make room by removing an existing address from the MAC address table. The
only candidate for removal is a dynamically learned address on the service instance. If room cannot be
made, the configuration is rejected.
Default maximum address is '1' for a service instance.
Note
following actions occur:
• If the conflicting service instance has MAC security configured, the configuration is rejected with
an appropriate error message.
• If the conflicting service instance does not have MAC security configured, the configuration is
accepted silently. (If the operator attempts to enable MAC security on the conflicting service
instance, that attempt fails.)
address has been learned and saved as a sticky address on the service instance, the configuration is
rejected with an appropriate error message.
or the address has been learned and saved as a sticky address on another service instance.
specific service instance and is deleted from the MAC table before the configuration is accepted.
- Quick Links:
- Bridge Domains
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
