Mac Move And Mac Locking - Cisco ASR 920 Series Configuration Manual Ethernet Router

Violation Response Configuration
Table 7: Bridge-Domain and Service-Instance MAC Address Limit
Bridge-Domain / Service-Instance Number
Bridge Domain 1000
Service Instance 1001
Service Instance 1002
Service Instance 1003
If you wish to configure MAC security on service instance 1003, any value can be configured for the maximum
count. For example:
service instance 1003 ethernet
bridge-domain 1
mac security
mac security maximum addresses 35
A MAC address limit of 35 is permitted, even though the total MAC address limit for the three service instances
(5 + 10 + 35) would exceed the count (20) configured on the bridge domain. Note that during actual operation,
the bridge domain limit of 20 is in effect. The dynamic secure address count cannot exceed the lowest count
applicable, so it is not possible for service instance 1003 to learn 35 addresses.

MAC Move and MAC Locking

If a MAC address is present in the MAC address table for a service instance (for example, service instance
1) on which MAC security is configured, the same MAC address cannot be learned on another service instance
(for example, service instance 2) in the same bridge domain.
If service instance 2 attempts to learn the same MAC address, the violation response configured on service
instance 2 is triggered. If MAC security is not configured on service instance 2 and a violation response is
not configured, the "shutdown" response sequence is triggered on service instance 2.
If MAC security is not enabled on service instance 1, the violation is not triggered. service instance 2 learns
the MAC address and moves it from service instance 1.
For some platforms, MAC address moves are allowed but moves between secured service instances and
nonsecured service instances cannot be detected.
For example, if you do not configure MAC security on service instance 2 because of a hardware limitation,
a MAC move from secured service instance 1 to service instance 2 is accepted. Therefore, it is recommended
that all service instances within the same bridge-domain be configured as secured service instances.
Violation Response Configuration
A violation response is a response to a MAC security violation or a failed attempt to dynamically learn a MAC
address due to an address violation. MAC security violations are of two types:
Type 1 Violation --The address of the ingress frame cannot be dynamically learned due to a deny list, or
because doing so would cause the maximum number of secure addresses to be exceeded (see the
Limiting and Learning, on page
Carrier Ethernet Configuration Guide (Cisco ASR 920 Series)
86
Configuring MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels
84).
MAC Address Limit
20
5
10
To be configured
MAC Address