Page 3
Restrictions for Local Span and RSPAN Understanding Local SPAN and RSPAN Information About Local SPAN Session and RSPAN Session Local SPAN Session Local SPAN Traffic RSPAN Session RSPAN Traffic Destination Interface Source Interface Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 4
Configuring MAC Address Security on Service Instances and EVC Port Channels C H A P T E R 4 Prerequisites for MAC Address Security on Service Instances and EVC Port Channels Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 5
Displaying the Service Instances with MAC Security Enabled on a Specific Bridge Domain Showing the MAC Addresses of All Secured Service Instances Showing the MAC Addresses of a Specific Service Instance Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 6
Benefits of Static MAC Address Support on Service Instances Configuring a Static MAC Address on a Service Instance Example for Configuring a Static MAC Address on a Service Instance Verifying Configured Static MAC Addresses on a Service Instance Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 7
Example: Verifying Configured Static MAC Addresses on a Service Instance MAC Limiting C H A P T E R 6 Restrictions and Usage Guidelines Configuring MAC Limiting Example of Enabling Per-Bridge-Domain MAC Limiting Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 8
Contents Layer 2 Configuration Guide for Cisco NCS 4200 Series viii...
• Port shaper cannot be bypassed in facility loopback. • Facility and terminal Ethernet data plane loopback (ELB) are not supported on dot1ad nni interface. • Internal loopback sessions configured must be within the 1 GB reserved bandwidth for Cisco ASR 900 Series RSP2 Module.
Dot1Q and 4 sessions are with Dot1Q and destination MAC address. This scale reduces if RSPAN or SADT is configured. This scale is supported on the Cisco ASR 900 Series RSP2 module. • Only one Ethernet loopback (terminal or facility) session can be active on an EFP at any instance.
By default the session would be running for 300 seconds unless you explicitly specify and automatically stops after the session time expiry. enable configure terminal ethernet loopback start local interface gigabitEthernet 0/4/1 service instance 10 external Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Total Active Session(s) Total Internal Session(s) Total External Session(s) • This example shows how to stop the sessions on the router. Router# ethernet loopback stop local interface GigabitEthernet 0/4/1 id 1 Layer 2 Configuration Guide for Cisco NCS 4200 Series...
IfSt PtSt Domain ID Ingress MA Name Type Id SrvcInst EVC Name Local MEP Info -------------------------------------------------------------------------------- f078.1685.313f Gi0/0/0:(2.2.2.2, 880) XCON N/A MPID: 200 Domain: CCI MA: 800 Total Remote MEPs: 1 Layer 2 Configuration Guide for Cisco NCS 4200 Series...
• RSPAN VLAN must be dedicated and entire Layer 2 devices in the network must be aware of the VLAN. • RSPAN source and destinations switches separated by the VPLS pseudowire must be aware of the RSPAN VLAN/ brige domain (BD). • Pseudowire must be dedicated for RSPAN traffic. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
• SPAN monitoring of port-channel interfaces or port-channel member-links is not supported. • Combined Egress local SPAN bandwidth supported on Cisco ASR 900 Series RSP2 module is 1 GB. • Local SPAN is not supported on logical interfaces such as Vlans or EFPs.
• Do not have RSPAN bridge domain as part of RSPAN source interface. RSP3 module • RSPAN is not supported on the Cisco ASR 900 Series RSP3 module. Understanding Local SPAN and RSPAN Information About Local SPAN Session and RSPAN Session...
The traffic from the source ports or Vlans are mirrored into the RSPAN Vlan and forwarded over Trunk or the EVC bridge domain (BD) ports carrying the RSPAN Vlan to a destination session monitoring the RSPAN Vlan. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
SPAN or RSPAN destination interface stops trunking on the interface. Source Interface A source interface is an interface monitored for network traffic analysis. An interface configured as a destination interface cannot be configured as a source interface. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
(Untagged Traffic) - Source port RSPAN Vlan (BD) rewrite pop1 RSPAN Vlan (BD) rewrite pop1 rewrite tag symmetric tag symmetric no-rewrite RSPAN BD tag + packet RSPAN BD tag + packet pop1 tag pop2 tag Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 21
RSPAN BD tag + packet RSPAN BD tag + packet pop1 tag pop2 tag push1 tag (Single traffic)-Source port RSPAN Vlan (BD) rewrite pop1 RSPAN Vlan (BD) rewrite pop1 rewrite tag symmetric tag symmetric Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 22
RSPAN BD tag + source-outer-tag RSPAN BD tag + source-outer-tag + packet + packet pop1 tag pop2 tag push1 tag RSPAN BD tag + source-outer-tag RSPAN BD tag + source-outer-tag + packet + packet Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Removing Sources or Destinations from a Local SPAN Session To remove sources or destinations from a local SPAN session, use the following commands beginning in EXEC mode: SUMMARY STEPS 1. enable 2. configure terminal 3. no monitor session session-number Layer 2 Configuration Guide for Cisco NCS 4200 Series...
5. destination remote vlan rspan_vlan_ID 6. no shutdown 7. end DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable • Enter your password if prompted. Example: Router> enable Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 26
EFP or port which carries the RSPANd traffic. Step 6 no shutdown Restarts the interface. Example: Router(config-mon-rspan-src)# no shutdown Step 7 Exists the configuration. Example: Router(config-mon-rspan-src)# end Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Associates the RSPAN destination session number with the destination port. Example: • single_interface —Specifies the Gigabit Ethernet or Ten Gigabit Ethernet interface. Router(config-mon-rspan-dst)# destination interface gigabitethernet 0/0/1 ◦slot/subslot/port—The location of the interface. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Configures an RSPAN source session number and enters RSPAN source session configuration mode for the session. Example: • session_number—The valid sessions are 1 through 14. Router(config)# monitor session 1 Layer 2 Configuration Guide for Cisco NCS 4200 Series...
The following example shows how to configure local SPAN session 8 to monitor bidirectional traffic from source interface Gigabit Ethernet interface to destination: Router(config)# monitor session 8 type local Router(config)# source interface gigabitethernet 0/0/10 Router(config)# destination interface gigabitethernet 0/0/3 Router(config)# no shut Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Restrictions for Layer 2 Access Control Lists on EVCs • A maximum of 512 access control entries (ACEs) are allowed for a given ACL, with the limitation that it does not exceed the maximum tcam entries. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
ACL. • The show ethernet service instance id id interface type number detail command can be used to provide details about ACLs on service instances. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
{{src-mac mask | any} {dest-mac mask | any} Allows forwarding of Layer 2 traffic if the conditions [protocol [vlan vlan] [cos value]]} are matched. Creates an ACE for the ACL. Example: Device(config-ext-macl)# permit 00aa.00bb.00cc 0.0.0 any Layer 2 Configuration Guide for Cisco NCS 4200 Series...
• number --Specifies the location of the interface. Step 4 service instance id ethernet Configures an Ethernet service instance on an interface and enters Ethernet service configuration mode. Example: Device(config-if)# service instance 100 ethernet Layer 2 Configuration Guide for Cisco NCS 4200 Series...
9. interface type number 10. service instance id ethernet 11. encapsulation dot1q vlan-id 12. mac access-group access-list-name in DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 38
Prevents forwarding of Layer 2 traffic except for the allowed ACEs. Example: Device(config-ext-macl)# deny any any Step 8 Exits the current command mode and returns to global exit configuration mode. Example: Device(config-ext-macl)# exit Layer 2 Configuration Guide for Cisco NCS 4200 Series...
2. show ethernet service instance id id interface type number detail DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable • Enter your password if prompted. Example: Device> enable Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Example Applying a Layer 2 ACL to Three Service Instances on the Same Interface The following example shows how to apply a Layer 2 ACL called mac-07-acl to three service instances on the same interface: enable Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Step 2 show ethernet service instance id id interface type Displays detailed information about Ethernet customer number detail service instances. Example: Device# show ethernet service instance id 100 interface gigabitethernet 3/0/1 detail Layer 2 Configuration Guide for Cisco NCS 4200 Series...
The following sample output displays the details of a configured Layer 2 ACL. Device# show access-lists Extended IP access list ip-acl 10 permit ip any any Extended MAC access list mac-acl permit any any vlan 10 Device# Device#sh access-lists mac-acl Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 43
Layer 2 Access Control Lists on EVCs Example Displaying the Details of Configured Layer 2 ACL Extended MAC access list mac-acl permit any any vlan 10 Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 44
Layer 2 Access Control Lists on EVCs Example Displaying the Details of Configured Layer 2 ACL Layer 2 Configuration Guide for Cisco NCS 4200 Series...
• An understanding of the concepts of MAC address limiting and how it is used for MAC security. • An understanding of how port channels and EtherChannels work in a network. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
MAC Address Permit List A permit list is a set of MAC addresses that are permitted on a service instance. Permitted addresses permanently configured into the MAC address table of the service instance. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
• If the address is already configured as a permitted address on the specific service instance or if the address has been learned and saved as a sticky address on the service instance, the configuration is rejected with an appropriate error message. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
You are allowed to configure the desired response for a Type 1 and Type 2 violations on a service instance. For a Type 1 violation on a bridge domain (that is, if the learn attempt conforms to the policy configured on Layer 2 Configuration Guide for Cisco NCS 4200 Series...
The mac security sticky address mac-address command can configure a specific MAC address as a sticky MAC address. The use of this command is not recommended for the user because configuring a MAC address Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Since MAC security is applicable only on service instances that are members of a bridge domain, removing a service instance from a bridge domain causes all the MAC security commands to be erased permanently. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
How to Configure MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels Enabling MAC Security on a Service Instance Perform this task to enable MAC address security on a service instance. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 52
Device(config-if-srv)# encapsulation dot1q 100 Step 6 bridge-domain bridge-id Binds the service instance to a bridge- domain instance where bridge-id is the identifier for the bridge- domain instance. Example: Device(config-if-srv)# bridge-domain 200 Layer 2 Configuration Guide for Cisco NCS 4200 Series...
3. interface port-channel channel-group 4. service instance id ethernet 5. encapsulation dot1q vlan-id 6. bridge-domain bridge-id 7. mac security 8. end DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 54
Example: Device(config-if-srv)# bridge-domain 200 Step 7 Enables MAC security on the service instance. mac security Example: Device(config-if-srv)# mac security Step 8 Returns to user EXEC mode. Example: Device(config-if-srv)# end Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Device(config)# interface gigabitethernet2/0/1 Step 4 service instance id ethernet Creates a service instance (an instance of an EVC) on an interface and enters service instance configuration mode. Example: Device(config-if)# service instance 100 ethernet Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 56
Example: Device(config-if-srv)# mac security address permit a2aa.aaaa.aaae Step 12 mac security Enables MAC security on the service instance. Example: Device(config-if-srv)# mac security Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Command or Action Purpose Step 1 Enables privileged EXEC mode. enable • Enter your password if prompted. Example: Device> enable Step 2 configure terminal Enters global configuration mode. Example: Device# configure terminal Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 58
Device(config-if-srv)# mac security address deny a2aa.aaaa.aaac Step 10 mac security address deny mac-address Adds the specified MAC address as a denied MAC address for the service instance. Example: Device(config-if-srv)# mac security address deny a2aa.aaaa.aaad Layer 2 Configuration Guide for Cisco NCS 4200 Series...
5. encapsulation dot1q vlan-id 6. bridge-domain bridge-id 7. mac security maximum addresses maximum-addresses 8. mac security 9. end DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 60
Note Default value for a service instance is '1'. Example: Device(config-if-srv)# mac security maximum addresses 500 Step 8 Enables MAC security on the service instance. mac security Example: Device(config-if-srv)# mac security Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Command or Action Purpose Step 1 enable Enables privileged EXEC mode. • Enter your password if prompted. Example: Device> enable Step 2 Enters global configuration mode. configure terminal Example: Device# configure terminal Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 62
Example: Device(config-if-srv)# mac security violation protect Step 8 mac security Enables MAC security on the service instance. Example: Device(config-if-srv)# mac security Step 9 Returns to user EXEC mode. Example: Device(config-if-srv)# end Layer 2 Configuration Guide for Cisco NCS 4200 Series...
If sticky MAC addressing is configured on a secured service instance, MAC addresses that are learned dynamically on the service instance are retained during a link-down condition. Perform this task to configure sticky MAC addresses on a service instance. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 65
Step 5 encapsulation dot1q vlan-id Defines the matching criteria to be used to map ingress dot1q frames on an interface to the appropriate service instance. Example: Device(config-if-srv)# encapsulation dot1q 100 Layer 2 Configuration Guide for Cisco NCS 4200 Series...
2. show ethernet service instance id id interface type number mac security 3. end DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable • Enter your password if prompted. Example: Device> enable Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Displays all the service instances with MAC security show ethernet service instance mac security enabled. Example: Device# show ethernet service instance mac security Step 3 Returns to user EXEC mode. Example: Device# end Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Example: Device# end Showing the MAC Addresses of All Secured Service Instances SUMMARY STEPS 1. enable 2. show ethernet service instance mac security address 3. show mac address-table secure 4. end Layer 2 Configuration Guide for Cisco NCS 4200 Series...
2. show ethernet service instance id id interface type number mac security address 3. end DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. • Enter your password if prompted. Example: Device> enable Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Displays the secured addresses of all the service instances on a specified bridge domain. Example: Device# show bridge-domain 100 mac security address Step 3 Returns to user EXEC mode. Example: Device# end Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Showing the MAC Security Statistics of All Service Instances on a Specific Bridge Domain Perform this task to display the MAC security statistics of all the service instances on a specific bridge domain. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Perform this task to display the last violation recorded on each service instance on a specific bridge domain. Service instances on which there have been no violations are excluded from the output. SUMMARY STEPS 1. enable 2. show bridge-domain bridge-id mac security last violation 3. end Layer 2 Configuration Guide for Cisco NCS 4200 Series...
2. clear ethernet service instance id id interface type number mac table 3. end DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. • Enter your password if prompted. Example: Device> enable Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Clears all dynamically learned MAC addresses on the specified bridge domain. Example: Device# clear bridge-domain 100 mac table Step 3 Returns to user EXEC mode. Example: Device# end Layer 2 Configuration Guide for Cisco NCS 4200 Series...
0000.00ac.ef0a dynamic Gi0/0/3 ServInst 10 0000.00ac.ef0b dynamic Example Displaying the Secured Service Instances for a Specific Bridge Domain Router# show bridge-domain 10 mac security Gi0/0/3 ServInst 10 MAC Security enabled: yes Layer 2 Configuration Guide for Cisco NCS 4200 Series...
• Static MAC addresses are programmed only on switch processors (both active and standby). • The Static MAC address on Pseudowires is not supported on the Cisco ASR 900 Series Routers. Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Returns the CLI to privileged EXEC mode. Example: Router(config-if-srv)# exit Example for Configuring a Static MAC Address on a Service Instance Router> enable Router# configure terminal Router(config)# interface GigabitEthernet 0/2/1 Layer 2 Configuration Guide for Cisco NCS 4200 Series...
The sample output for the show bridge-domain command: Router# show bridge-domain 10 mac static address Bridge-Domain ID : 10 Static MAC count : System : 1, bridge-domain : 1 Port Address Action Gi0/3/7 ServInst 10 aaa1.123c.bc32 Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Mac address limiting per bridge-domain restricts the number of MAC addresses that the router learns in bridge-domain on an EFP, pseudowire or switchport. Local connect feature is not supported on the Cisco router. However, to simulate a local connect scenario, Note configure the connecting EFPs on the same bridge domain and disable the mac-learning on the bridge domain by setting the MAC limit to 0.
(bdomain) to a disabled state. To restore the bridge-domain, disable and re-enable the mac-limiting feature. Warning is the default action when no action is configured. Note The functionality of automatic error recovery is not supported on the Cisco ASR 900 RSP2 module. Note Before You Begin SUMMARY STEPS 1.
Page 85
Router# configure terminal Router(config)# mac-address-table limit bdomain 10 maximum 100 action limit flood Router(config)# end Router#show mac-address-table limit bdomain 10 bdomain action flood maximum Total entries Current state -------------+----------+------------+------------+---------------+--------------- limit Disable Within Limit Layer 2 Configuration Guide for Cisco NCS 4200 Series...
Page 86
MAC Limiting Example of Enabling Per-Bridge-Domain MAC Limiting Layer 2 Configuration Guide for Cisco NCS 4200 Series...