Configuring Evc Mac Security - Cisco 3845 - Security Bundle Router Software Manual

Configuring EVC MAC Security

Beginning in privileged EXEC mode, follow these steps to disable the flooding of unicast and Layer 2
multicast packets out of an interface:
Command
Step 1 configure terminal
Step 2 interface interface-id
Step 3
switchport block multicast
Step 4 switchport block unicast
Step 5 end
Step 6 show interfaces interface-id switchport
Step 7 copy running-config startup-config
To return the interface to the default condition where no traffic is blocked and normal forwarding occurs
on the port, use the no switchport block {multicast | unicast} interface configuration commands.
This example shows how to block unicast and Layer 2 multicast flooding on a port:
Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport block multicast
Switch(config-if)# switchport block unicast
Switch(config-if)# end
Configuring EVC MAC Security
You can use the Ethernet Virtual Connection (EVC) MAC security feature to restrict input to an Ethernet
flow point (EFP) service instance by limiting and identifying MAC addresses of the stations allowed
accessing the EFP. When you assign secure MAC addresses to a secured EFP, the EFP does not forward
packets with source addresses outside the group of defined addresses.
If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the
workstation attached to that EFP is assured the full bandwidth of the port.
You can enter the mac security maximum addresses service-instance command to configure an upper
limit for the number of secure MAC addresses allowed on an EFP, including permitted addresses,
dynamically learned addresses, and sticky addresses. If you do not configure an upper limit, the default
number of secured MAC addresses is 1.
If an EFP is configured as a secure EFP and the maximum number of secure MAC addresses is reached,
when the MAC address of a station attempting to access the EFP is different from any of the identified
secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address
configured or learned on one secure EFP attempts to access another secure EFP, a violation is flagged.
These sections contain this conceptual and configuration information:
•
•
Cisco ME 3800X and 3600X Switch Software Configuration Guide
19-6
Understanding MAC Security, page 19-7
Default EVC MAC Security Configuration, page 19-8
Purpose
Enter global configuration mode.
Specify the interface to be configured, and enter interface
configuration mode.
Block unknown multicast forwarding out of the port.
Only pure Layer 2 multicast traffic is blocked. Multicast
Note
packets that contain IPv4 or IPv6 information in the
header are not blocked.
Block unknown unicast forwarding out of the port.
Return to privileged EXEC mode.
Verify your entries.
(Optional) Save your entries in the configuration file.
Chapter 19 Configuring Traffic Control
OL-23400-01