Mac Address Security Guidelines; Enabling And Configuring Evc Mac Security - Cisco 3845 - Security Bundle Router Software Manual

Chapter 19 Configuring Traffic Control

MAC Address Security Guidelines

•
•
•
•
•

Enabling and Configuring EVC MAC Security

For detailed information about the commands, see the Cisco IOS Carrier Ethernet Command Reference
at:
http://www.cisco.com/en/US/docs/ios/cether/command/reference/ce_book.html
Beginning in privileged EXEC mode, follow these steps to configure MAC security on an EFP:
Command
Step 1 configure terminal
Step 2 interface interface-id
Step 3
switchport mode trunk
Step 4
switchport trunk allowed vlan
none
Step 5 service instance number ethernet
[name]
OL-23400-01
MAC security is disabled by default on an EFP. When MAC security is disabled on an EFP, you can
configure MAC security functions, but they do not become operational until you enable MAC
security.
– A secured EFP is one on which MAC security is enabled.
A secured MAC address is one that is configured or learned.
–
A secured bridge domain is one on which MAC security is enabled.
–
Secured EFP learned MAC addresses are kept in both the EVC MAC security table and the system
MAC address table. Secured addresses are aged out by the configured MAC security aging process.
When you enable MAC security on an EFP by entering the mac security service-instance
configuration command, the existing MAC addresses on the EFP that were dynamically learned are
removed, and configured MAC addresses and sticky MAC address entries are added to the EVC
MAC security table.
When you remove an EFP from a bridge domain or move an EFP to a new bridge domain, all MAC
addresses for the EFP are removed from the MAC address table.
A MAC locking condition occurs when a MAC move occurs and a MAC entry already exists for an
EFP in a given bridge domain. and the same MAC address is received on a different EFP in the
bridge domain. If the move takes place from one secured EFP to another secured EFP, the move is
not allowed and the configured violation action occurs. A move between a secured and non-secured
EFP is allowed because no violation occurs.
Purpose
Enter global configuration mode.
Specify the interface to be configured, and enter interface configuration
mode.
Configure the interface as a trunk port, required for EFP configuration.
Configure the interface to have no allowed VLANs.
Configure an EFP (service instance) and enter service instance configuration
mode.
•
•
The number is the EFP identifier, an integer from 1 to 4000.
(Optional) ethernet name is the name of a previously configured
Ethernet virtual connection (EVC). You do not need to use an EVC name
in a service instance.
Cisco ME 3800X and 3600X Switch Software Configuration Guide
Configuring EVC MAC Security
19-9