Mac Address Deny List - Cisco NCS 4200 Series Configuration Manual
Layer 2
Hide thumbs
Also See for NCS 4200 Series:
- Configuration manual (66 pages) ,
- Configuration manuals (30 pages) ,
- Configuration manual (36 pages)
Table of Contents
Advertisement
Configuring MAC Address Security on Service Instances and EVC Port Channels
On a service instance that is a member of a bridge domain, the operator is permitted to configure one or more
permitted MAC addresses.
For each permitted address, eligibility tests are performed and after the address passes these tests, it is either:
• Programmed into the MAC address table of the bridge domain, if MAC security is enabled on the service
• Stored in an area of memory referred to as "MAC table cache" if MAC security is not enabled on the
The eligibility tests performed when a user tries to add a MAC address to the permit list on a service instance
are as follows:
• If the address is already a denied address on the service instance, the configuration is rejected with an
• If the acceptance of this address would increase the secure address count on the service instance beyond
• If the address is already permitted on another service instance in the same bridge domain, one of the
MAC Address Deny List
A deny list is a set of MAC addresses that are not permitted on a service instance. An attempt to learn a denied
MAC address will fail. On a service instance that is a member of a bridge domain, the operator is permitted
to configure one or more denied MAC addresses. The arrival of a frame with a source MAC address that is
part of a deny list will trigger a violation response.
Before a denied address can be configured, the following test is performed:
• If the address is already configured as a permitted address on the specific service instance or if the
instance or,
service instance. When MAC security is enabled, the addresses from the MAC table cache are added to
the MAC address table as secure addresses.
appropriate error message.
the maximum number allowed, an attempt is made to make room by removing an existing address from
the MAC address table. The only candidate for removal is a dynamically learned address on the service
instance. If sufficient room cannot be made, the configuration is rejected. If the acceptance of this address
would increase the secure address count on the bridge domain beyond the maximum number allowed,
an attempt is made to make room by removing an existing address from the MAC address table. The
only candidate for removal is a dynamically learned address on the service instance. If room cannot be
made, the configuration is rejected.
Note
Default maximum address is '1' for a service instance.
following actions occur:
• If the conflicting service instance has MAC security configured, the configuration is rejected with
an appropriate error message.
• If the conflicting service instance does not have MAC security configured, the configuration is
accepted silently. (If the operator attempts to enable MAC security on the conflicting service
instance, that attempt fails.)
address has been learned and saved as a sticky address on the service instance, the configuration is
rejected with an appropriate error message.
Layer 2 Configuration Guide for Cisco NCS 4200 Series
MAC Address Deny List
39
Advertisement
Table of Contents
